Mark Roethof
Tera Patron
Tera Patron

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

What is shared in this article, might not be best practice. Just sharing this to explore possibilities, find openings in ServiceNow, and have a mindset that your imagination is your limitation.

 

Hi there,


When starting with Time-Limited User Roles you will quickly notice that there is a limitation on which roles you can request. Out-of-the-box the available roles to request are limited to "admin", "impersonator", and "snc_read_only". Last Friday during Live Coding Happy Hour, at the end of the show we did manage to "break" this though didn't have enough time to explain this. So let's have a closer look!


Quick note:

01.png


Time-Limited User Roles

With the Washington DC family release, ServiceNow introduced Time-Limited User Roles. Out-of-the-box, and free, for every customer. What it basically is/does: Allowing to assign a role to a user temporarily. For example if you have a user who needs to perform a one-time action that is normally outside their roles, or because of strict role segregation between subproduction and production. A common functionality you see at customers, and where they've built custom solutions for. 


Five months back I explained the basic workings of Time-Limited User Roles in this article:
https://www.servicenow.com/community/now-platform-articles/washington-s-time-limited-user-roles/ta-p... 


ServiceNow has a one-pager available on Time-Limited User Roles on the Docs:
https://docs.servicenow.com/bundle/washingtondc-platform-administration/page/administer/roles/concep... 


Roles restriction

Out-of-the-box the available roles to request are limited to "admin", "impersonator", and "snc_read_only".

 

02.png


What we noticed during the Live Coding Happy Hour show, is that this is due to the advanced reference qualifier that has been applied on the "Role" field.

 

03.png


Apparently function "getRolesRefQual" within Script Include "TimeLimitedRoleConfigHelper" is used to get the encoded query for the reference qualifier. On line 7 within the "Script" field of the Script Include, the value of System Property "glide.security.timelimited.roles.allowed_roles" is used or when not present "admin,impersonator,snc_read_only" is used. 

 

04.png

 

Adding other roles

Looking at the Script mentioned, it looks like a developer can edit the Script Include and change line 7 in the Script field. Edit the Script to for example include a role like "sn_hr_core.admin"

 

var names = 'admin,sn_hr_core.admin,impersonator,snc_read_only';

 

While testing a change in the Script like above, does actually not work. Still the original roles are being checked. Where this is done... can't tell, I haven't found any Business Rule/Script Include/etcetera that supports this.

 

05.png


Opening the System Property mentioned in the Script of the Script Include, we also notice the three roles that are out-of-the-box the roles supported to request with Time-Limited User Role. Unfortunately the System Property has a value for the "Write roles" field "maint", which makes the System Property not editable.

 

06.png


No worries! As we showed on the Live Coding Happy Hour, maint doesn't always stop developers 😀. When having access to the same scope the artifact is in, in most cases you can perform insert and delete operations (even if Access Controls don't allow this by default). In this case its just a matter of exporting the System Property to XML, edit the XML, delete the System Property, import the XML. 

 

07.png 


Having done this, now it is possible to request other roles than the original three out-of-the-box ones, for example sn_hr_core.admin.

 

08.png

 

09.png

 

Granting yourself permanent admin

One of the questions from the audience during the Live Coding Happy Hour episode was if you're granted a temporary admin role, does this mean you can give yourself permanent admin (or other roles)? While testing this after the episode, even when the Time-Limited User Role record is expired, any added roles to your profile in the meantime (which is stored in the "sys_user_has_role" table), will remain. Such will not be reverted! So in theory, you could grant yourself a permanent admin-role, if you temporarily have an admin role through Time-Limited User Roles.


Adding role maint

Another question from the audience during the Live Coding Happy Hour episode was if we could request the maint role this way. We didn't have time to try dus during the episode, so I did for this article.


With a bit of workarounds, it seems like it is possible to request the maint role! And when requesting the maint role for my own user and refreshing the session, an info message is shown that the maint role is granted!

 

10.png

 

11.png


Verifying if this actually works... no, it doesn't 👍.


Result

There you have it, requesting other roles for Time-Limited User Roles than just the out-of-the-box restriction to only admin, impersonator, and snc_read_only. I do hope ServiceNow opens this up a tiny bit in the future so we don't have to break it like this 😀. Who knows, perhaps Xanadu, Yokohama, Zurich?

---

 

That's it. Hope you like it. If any questions or remarks, let me know!

 

C

If this content helped you, I would appreciate it if you hit bookmark or mark it as helpful.

 

Interested in more Articles, Blogs, Videos, Podcasts, Share projects I shared/participated in?
- Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Kind regards,


Mark Roethof

Independent ServiceNow Consultant
9x ServiceNow MVP

---

LinkedIn

Comments
Nikhil Bajaj9
Giga Sage

Thanks for sharing your knowledge.

pratikbhatt
ServiceNow Employee
ServiceNow Employee

It is not recommended to update this property as it may cause compliance issue. 

pbusch
Tera Expert

Awesome article Mark, I'd been poking around on this and you hit the nail on the head! Beautiful.

Chris D
Kilo Sage
Kilo Sage

Good job Mark, you found a "bug" XD
OOTB system property "glide.security.timelimited.roles.allowed_roles" does not exist in upgraded ins...

This doesn't make sense though... I get that SOME roles can cause licensing issues but is that reason to limit the roles so drastically? And what does "compliance issue" even mean?? Surely it's not about internal security compliance since the admin role can be granted... and you've proven that the maint role couldn't be given this way either so how is it a SNOW compliance issue?

 

Anyway, it's funny that in another article they actually direct you to upvote specific ideas on the subject lol (so go ahead and give em an upvote!):

There are enhancements in place that Servicenow team is working on to add additional features in upcoming releases.

For additional roles: https://support.servicenow.com/ideas?id=view_idea&sysparm_idea_id=d7d60f0f9373ca90f538fb2d6cba1030&s...

For extending duration up to 30days:https://support.servicenow.com/ideas?id=view_idea&sysparm_idea_id=a5466cbf93209e54def533527cba1098&s...

From: Time limited user roles (Starting Washington Release ) - Support and Troubleshooting

Version history
Last update:
‎07-26-2024 01:08 AM
Updated by:
Contributors