GRC Admin role granting Unintended Script Editor Access to UI Actions

ujjwalababa · 4 hours ago

Hi everyone,

I'm working on a ServiceNow GRC implementation and discovered a potential permission scoping issue that I wanted to flag with you all.

Issue:
Users assigned the sn_grc.admin role appear to have access to script editor functionality for UI Actions, which may be unintended.

Steps to Reproduce:

Assume a user with the sn_grc.admin role (via impersonation)
Navigate to Entities
Right-click on an entity record
Select Configure → All → UI Actions
User can view, edit, and presumably modify all UI Action scripts

Context:

This access is available within the GRC platform
The sn_grc.admin role is intended for GRC module administration (workspace config, case management, settings, etc.), not script development
Users without development/scripting roles should not typically have access to modify UI Action scripts

Questions:

Is this expected behavior for the sn_grc.admin role?
Is there a specific ACL or permission that should be scoped to prevent this?

Has anyone encountered this in their implementation, or have insights into whether this is a security concern? Any guidance would be appreciated.

Thanks!

Mariam_Ahmed · 4 hours ago

Hi @ujjwalababa,

Can you check which roles are contained within the sn_grc.admin role? It's possible that one of the inherited roles is granting access to UI Actions and script editing.

If your goal is to prevent users from editing scripts, identify the inherited role that provides this capability and remove it from the role hierarchy (provided it doesn't impact other required functionality). That should restrict access without affecting the rest of the GRC administration features.

If you found this response useful, please mark it as Helpful and accept it as the Solution to help others with similar questions.

Best regards,

Mariam Ahmed.