We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

Managing ServiceNow admin access from a Privileged Access Management application?

stevemac
Tera Guru

2 hours ago

Hi,

 

Have been asked to review how we grant, manage and monitor privileged access in ServiceNow.  At this stage we are defining privileged access to users with admin and security_admin roles.  This may change to include some of the sub-admin roles.

 

I am OK (ish) on how we grant and remove the admin roles.  There is automation to remove these roles and a regular review of users with the roles. 

 

One of the concerns I have always had is there is no "read only" admin role.   Given the majority of their support activity needs the admin role, their login to Prod is always with an account that has admin access.  This obviously introduces risk.

 

Looking for guidance / recommendations on how other organisations handle admin access in Production and if anyone has a working solution for managing login and access via a PAM application (e.g. CyberArk). 

 

Some thoughts

  • create new role and ACLs to provide read access to the tables, records, fields an Admin user regularly accesses.  Grant our existing admins this role and remove admin and security_admin roles from them
  • Use the time-limited user access roles for getting Admin and above roles in Prod.  Some form of approval required
  • make the admin role an elevated role.   User would start with normal access (including the read only access to commonly referenced admin functions), and elevate to admin when they needed to perform an admin only function
  • Look at options to make elevation to admin role need approval (outside of time-limited user roles, not sure if we can catch this and generate authentication)
  • Platform admins to have two sets of creds - one for normal usage and another set with admin rights.  The ones with admin rights would be used via an external (to ServiceNow) PAM solution.
  • use authentication profiles to limit logins by Admin users to specific IP Address (not so easy anymore, and would still need a break-glass option)
  • monitor usage of the break-glass account and alert immediately when used

Appreciate any and all insights in managing the risk related to the admin role

 

Steve

0 Helpfuls
  • 62 Views
1 REPLY 1

lauri457
Tera Sage

27m ago - last edited 26m ago

I'll just say that servicenow recommends not making admin an elevated role as it can break things, I couldn't find the source but you should use this instead Force administrators to manually elevate • Zurich Platform security • Docs | ServiceNow. And you can give a user the snc_read_only role to make their access read only

 

If you are worried about stolen credentials then auth profiles or a pam solution are probably preferred but time-limited or not a rogue admin is still a rogue admin. Kind of depends on what you are looking to achieve, will you actually monitor the admin usage or will it just be busy-work at the start of the day for admins to request access etc etc. 

 

Set up governance, get rid of people who don't care about rules, isolate consultants with delegated development. Unfortunately the admin role is what it is, it should only be given to trustworthy people

0 Helpfuls