Providing a role while excluding certain sub-roles

c_correa133 · ‎02-26-2025

Looking for best practice or an approach to manage providing users a role that may contain included sub-roles I do not want to provide. My current use case is providing a user the sn_si.admin while not providing the sub-role user_admin. I would like to grant the user the role to meet their use case of managing Security Incident Response, however I do not want the user to make changes to the sys_user table such as creating/deleting users as the role contains user_admin. From what I have read, ServiceNow does not recommend modifying out of box roles and providing the user all the sub roles not including user_admin has not worked out either. Has anyone tried something similar?

Kieran Anson · ‎02-26-2025

Hi,

Because the security incident response is a protected scope, it's admin role needs to have user_admin in order to manage people's access. Without it, you'd break the scope and potentially lock yourself out of it.

If no other roles provide the functionality you desire, you'll need to implement a custom role and do the necessary development work to provide that role with the relevant access

View solution in original post

Kieran Anson · ‎02-26-2025

Hi,

Because the security incident response is a protected scope, it's admin role needs to have user_admin in order to manage people's access. Without it, you'd break the scope and potentially lock yourself out of it.

If no other roles provide the functionality you desire, you'll need to implement a custom role and do the necessary development work to provide that role with the relevant access

c_correa133 · ‎02-28-2025

Thanks Kieran, this makes sense and is unfortunately the route I thought I would need to go. I appreciate the response!

Kieran Anson · ‎02-28-2025

Happy to help 😄

If you can mark my answer as helpful and correct I'd greatly appreciate it 🙏