Separate "sn_si.admin" role from "admin"(platform admin) role

santhoshvallabh
Kilo Contributor

We want to separate "sn_si.admin" role from "admin"(platform admin) role.

At the same time platform admin users don't want to lose control over support of "Security Incident" application. please let me know what the options are to do it.

 

Thanks!

5 REPLIES 5

Musab Rasheed
Tera Sage
Tera Sage

Hello,

sn_si.admin role is related to Security Incident Response and this has limitations only sn_si.admin role can manage and even Admin role cannot override them. Go through below links

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0778139

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0744414

https://docs.servicenow.com/pt-BR/bundle/sandiego-security-management/page/product/security-incident...

Please hit like and mark my response as correct if that helps
Regards,
Musab

Community Alums
Not applicable

Hi @santhoshvallabh ,

Unfortunately, you cannot remove/delete/separate  "sn_si.admin" role from "admin"(platform admin) role.

SandeepDutta_0-1667190086769.png

The actions won't allow you to delete the role.

 

Nikan Keyhani
Mega Guru

Hello @santhoshvallabh

 

Typically, after the plugin activation, the admin role will automatically inherit the sn_si.admin role, which allows any user with the admin role, to fully access all of the SIR application. 

 

Now for Security Incident Response it is a common requirement to remove the role, to allow a seperation of duties. 

 

There is a checkbox on the scope record (sys_scope), that will enable  the scoped administration, which basically removes the sn_si roles from the system admins, restricting their access along with it. A

After that, for certain tasks, the Platform Admins need to closely work together with the SIR admins. 

Bildschirmfoto 2022-10-31 um 09.07.53.png

 

But to fully answer your question, I am not sure what you are referring to when saying, he should still be able to support the SIR application, what kind of access is specifically needed, maybe it makes sense to assign the platform admin certain subroles, instead of the sn_si.admin. 

 

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there,


Once you have assigned the `sn_si.admin` role to at least one other individual that is not a Platform Admin (role = admin) - you can perform what is referred to as a "Lockdown" of SIR - meaning you can decouple the `sn_si.admin` role from the Platform `admin` role.


There is no meet in the middle though to answer your question - once it is decoupled the Platform Admins will lose access to components / records in the SIR Scope.

 

Reference:

 

__andyb2poYQ___0-1667602138333.png