local admin account

Abhishek S1 · ‎08-28-2023

One of my customer cyber security says, all the user profile with admin role user record password should be cyberark vaulted password. What this means is, any existing user profile with admin role should be either disabled or migrated to cyberark.
Question, can we get ride of admin (system administrator) account? What are the list of operations does it so that we cannot get rid of it?

Is there actually a need of local user account with admin role? If yes, what are the use cases?

SwarnadeepNandy · ‎08-28-2023

Hello @Abhishek S1,

It is not possible to get rid of the admin (system administrator) account in ServiceNow. The admin role provides access to all features and capabilities in the platform, such as configuring applications, modules, forms, workflows, scripts, roles, groups, users, and so on. The admin role is also required for installing and updating plugins, activating and deactivating fea.... Without the admin role, you would not be able to perform these essential tasks.

However, you can limit the number of users who have the admin role and assign them more granular roles based on their specific needs. For example, you can create custom roles that grant access to certain applications or modules, or delegate roles to users who are in a particular group. You can also use CyberArk to store and manage the passwords of the admin users and ensure that they are rotated frequently and securely.

The need of local user account with admin role depends on your business requirements and security policies. Some possible use cases are:

You need a local user account with admin role to set up the initial configuration of ServiceNow and integrate it with CyberArk or other external systems.
You need a local user account with admin role to perform administrative tasks that are not covered by other roles or delegated roles.
You need a local user account with admin role to troubleshoot issues or perform emergency actions that require full access to the platform.

Hope this helps.

Kind Regards,

Swarnadeep Nandy

Abhishek S1 · ‎08-28-2023

Thanks for taking time on this, Swarnadeep.

Initial configuration of ServiceNow, i agree.
Troubleshooting issues or perform emergency actions- Perhaps, logging in when cyberark is down using side_door or login.do. Apart from this, do we know, what exactly those are and the tasks that cannot be performed with a cyberark password vaulted admin id ?
Also, what is the impact when admin role is removed from system administrator- Noticed that system scheduler uses system admin as run-as and that can be modified. Are there any other?

AshishKM · ‎11-18-2024

Don't take risk of removing admin role from default system admin account, there are many processes uses this default account across the platform which we dont know.

Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

lukesmitty · ‎11-18-2024

Hi Team. Do you know if its possible to rotate the Sys Admin account passwords via CyberArk and not any other user records? We have SSO setup for all our users so we don't store any passwords nor would we want to. We do have passwords for our local admin accounts which use the side door url option. Our Security team is asking if we could rotate the local Admin account passwords daily via CyberArk. Do you know if this is possible?

Thanks,

Luke