Preventing Platform Admins from accessing Major Security Incidents

Charlotte Pakes · 4 hours ago

I'm aware that in SIR we can isolate the admin role, which seems to work well.

How are others managing the fact that users with admin role implicitly have access to Major Security Incidents? As there seems to be no ability to isolate the admin role like there is with SIR.

Tanushree Maiti · 5m ago

Hi @Charlotte Pakes

Refer: Other additional Security Incident Response setup tasks

Lock down security administration

To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

Before you begin

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users.

A security role is required to have access to Security Incident Response features and records.

Role required: sn_si.admin

Procedure

After the Security Incident Response plugin has been activated, a user with the admin role assigns the Scoped Admin (sn_si.admin) role to at least one user.
The user with the admin role changes to the Security Incident scope.
Navigate to All > sys_store_app.list.
Type sn_si in the Scope field.
Click Security Incident Response.
Scroll down to the Related Links and click Remove from the role contained by admin.
Log out and log back in.
The admin user cannot access the Security Incident Response application.

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti