Separate "sn_si.admin" role from "admin"(platform admin) role
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2022 07:11 PM
We want to separate "sn_si.admin" role from "admin"(platform admin) role.
At the same time platform admin users don't want to lose control over support of "Security Incident" application. please let me know what the options are to do it.
Thanks!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2022 07:39 PM
Hello,
sn_si.admin role is related to Security Incident Response and this has limitations only sn_si.admin role can manage and even Admin role cannot override them. Go through below links
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0778139
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0744414
Regards,
Musab

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2022 09:22 PM
Hi @santhoshvallabh ,
Unfortunately, you cannot remove/delete/separate "sn_si.admin" role from "admin"(platform admin) role.
The actions won't allow you to delete the role.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2022 01:12 AM - edited 10-31-2022 01:13 AM
Hello @santhoshvallabh,
Typically, after the plugin activation, the admin role will automatically inherit the sn_si.admin role, which allows any user with the admin role, to fully access all of the SIR application.
Now for Security Incident Response it is a common requirement to remove the role, to allow a seperation of duties.
There is a checkbox on the scope record (sys_scope), that will enable the scoped administration, which basically removes the sn_si roles from the system admins, restricting their access along with it. A
After that, for certain tasks, the Platform Admins need to closely work together with the SIR admins.
But to fully answer your question, I am not sure what you are referring to when saying, he should still be able to support the SIR application, what kind of access is specifically needed, maybe it makes sense to assign the platform admin certain subroles, instead of the sn_si.admin.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2022 03:49 PM
Hey there,
Once you have assigned the `sn_si.admin` role to at least one other individual that is not a Platform Admin (role = admin) - you can perform what is referred to as a "Lockdown" of SIR - meaning you can decouple the `sn_si.admin` role from the Platform `admin` role.
There is no meet in the middle though to answer your question - once it is decoupled the Platform Admins will lose access to components / records in the SIR Scope.
Reference: