Washington's Time-Limited User Roles

Mark Roethof
Tera Patron
Tera Patron

‎02-23-2024 04:06 AM - edited ‎07-26-2024 07:47 AM

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Hi there,

 

A new ServiceNow family release packed with a ton of new and updated features. A true gem - and not yet documented - the new "Time-Limited User Roles" functionality. In very short terms: the ability of providing users temporarily with a role based on time constraints.

 

Time-Limited User Roles

End users requested a Role for a short time period, a developer needing a (read-only) admin role, on a higher instance, very common use cases. Though how do you keep track of this, and revoke the roles in time? Some companies might have built a custom app for such, to request temporary elevated privileges.

 

Because that does involve quite a bit of work, I also see a lot of customers just providing admins with two user accounts: one for their normal filfiller activities, and one for their admin activities. And ofcourse, there are still companies where an admin has just one account with an admin role in production 😅.

 

Washington DC (Patch 0)

Using the new out-of-the-box Time-Limited User Roles functionality is pretty straightforward. First, navigate to "User Administration > Time-Limited User Roles".

 

Screenshot (1634).png

 

When opening a new record, a few basic fields are present which all are pretty clear without any explanation. The user/role of course important and the Start time/End time.

 

Screenshot (1635).png

 

After submitting the new Time-Limited User Role record, you are good to go! Nothing more is needed to start using the new out-of-the-box Time-Limited User Roles functionality.

 

When the User concerned logs in, very briefly the below info message is visible. Info message describing which time-limited role(s) are granted. The info message does mention at the end "Please reload current page", though that should happen automatically 😀.

 

Screenshot (1640).png

 

In this example the User is temporarily granted the "itll" Role and will have the same permissions etcetera as when the itil Role would have been added through conventional ways of adding the Role to the User (or with a Group in between). 

 

I haven't found any technical details yet on how the mechanism works under the hood. Like is a Schedule being used and calling certain Script Includes or APIs, how is this being tracked in regards to licensing, etcetera.  

 

Idea

You can now just start using Time-Limited User Roles and add Users manually. An idea could also be to automate this. Just brainstorming out loud, for example requesting Time-Limited User Roles through a Catalog Item. Adding a User Criteria which Users should be able to open and submit the Catalog Item, adding a Reference qualifier to trim the available Roles for a User, asking the User for a reason/justification for why requesting the access, perhaps adding a manager approval in the Flow attached to the Catalog Item, etcetera. 

 

Screenshot (1811).png

---

 

That's it. Hope you like it. If any questions or remarks, let me know!

 

C

If this content helped you, I would appreciate it if you hit bookmark or mark it as helpful.

 

Interested in more Articles, Blogs, Videos, Podcasts, Share projects I shared/participated in?
- Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Kind regards,


Mark Roethof

Independent ServiceNow Consultant
9x ServiceNow MVP

---

LinkedIn

  • 10,073 Views
Comments
Ben_Barker
Giga Guru
‎02-24-2024 04:58 AM

Wow! Long awaited! I would hope this would to exist for groups as well!

Stanners
Tera Contributor
‎02-26-2024 03:07 AM

I'd also vouch for doing this for groups.  We are currently looking to create a custom solution that will give time-limited access to specific task records - i.e. specific HR Cases.

Community Alums
Not applicable
‎03-05-2024 10:57 AM

How will this affect the license count as you may end up having limited admin access for the same user once or twice a month. ServiceNow would count the access for 365 days if you bounce back and forth. Would need to know how this will factor in. 

Community Alums
Not applicable
‎03-05-2024 11:01 AM

We currently have a catalog item that requires a developer to request admin access in PROD and we limit it for 4 hours. This goes through approval as we need to make sure any elevated access in PROD is tracked and audited. Once the request is approved, a script will add the requested user to a elevated group that gives them the admin access for the limited time. When time expires we remove the group from the users. 

0 Helpfuls
James-B
Kilo Sage
‎03-06-2024 03:54 AM

I have created something very similar to this for my employer that works across all of our instances. All records must be created and managed in our production instance (It is restricted in sub prod) and are passed down into sub prod via BR/table API. However it does not use roles specifically, instead we create empty "Delegation Groups" and assign the roles to those groups, for instance; we have " ServiceNow Delegated Impersonator". 

 

JamesB_0-1709724933678.png

 

All records go into the table in production and are filtered down via REST, any updates (which would only be from the flow, I.e. state changes) come back via REST. When a record is created in the target instance the group membership is handled via a flow. this gives us visibility of what access we have provided to users in all of our instances in one location and the ability to cancel if required. 

JamesB_1-1709725318459.png

 

We also provide the ability to create multiple records via record producer, for security reasons we only allow multiple of users though, not multiple groups or instances but this could be done if so desired. 

JamesB_2-1709725335375.png

 

When selecting a group we show what roles will be granted by providing membership to said group.

JamesB_3-1709726027701.png

 

It will be interesting to have a play with "Time-Limited User Roles" once we get our hands on Washington and see how the two compare. 

 

Joatan Fontoura
Tera Guru
‎04-05-2024 08:00 AM

Great! I didn't hear about this new feature before! Thanks for sharing!

0 Helpfuls
snbrown
ServiceNow Employee
ServiceNow Employee
‎04-15-2024 07:22 AM

In the GA version of Washington, this feature is limited to:

  • The following three roles: admin, impersonate, snc_readonly.
  • Single users only. No groups are possible.
  • Five day limited access to the roles assigned.

See Product Documentation for the most up-to-date features: Grant a time-limited user role.

Mark Roethof
Tera Patron
Tera Patron
‎04-15-2024 08:04 AM

@snbrown the first bullet is a limitation indeed.

 

The second and third bullet though, why in your opinion are these limitations?

Joatan Fontoura
Tera Guru
‎04-15-2024 01:12 PM

Hi @snbrown !

Thanks for sharing!

But I've tested with sn_incident_read role and it seems working.

🤔

0 Helpfuls
snbrown
ServiceNow Employee
ServiceNow Employee
‎04-15-2024 01:54 PM

@Joatan Fontoura 

What version are you running?

0 Helpfuls
Joatan Fontoura
Tera Guru
‎04-15-2024 02:03 PM

@snbrown 
Build name: Washingtondc
Build date: 03-09-2024_0815
Build tag: glide-washingtondc-12-20-2023__patch1-02-28-2024

0 Helpfuls
snbrown
ServiceNow Employee
ServiceNow Employee
‎04-15-2024 02:45 PM

Effective in:

Washington patch 1 hot fix 2

Washington patch 2

Washington patch 3

BENOW
Tera Explorer
‎04-16-2024 06:11 AM

@snbrown disappointed to see its now limited to 3 roles, the use cases for this handy feature just shrank about 98.99%

Ben_Barker
Giga Guru
‎04-16-2024 11:34 AM

Since we had a strong interest in a similar capability, but for time-limited group granting, one of our technical leads carried out an analysis of the Time-Limited User Role capability, to see if it could inspire us for a custom solution.

He exposed us to the fact that roles are not actually granted via sys_user_has_role, they are just added to the session at login. This is probably why it can only allow 3 at a time..?

For our part, we are considering a custom application which will allow users to be automatically added and removed from groups via sys_user_grmember (with Flows), based on information contained in a table similar to Time-Limited User Role but referenced to groups.
I hope maybe that could inspire ServiceNow to deliver such an app. Does that make sense for anyone?

0 Helpfuls
BENOW
Tera Explorer
‎04-17-2024 12:27 AM

@Ben_Barker yes it certainly does, keep me posted please,  interested to hear how you progress.

 

It would be good if @Servicenow could confirm why the feature is limited to the 3 roles.

 

0 Helpfuls
Community Alums
Not applicable
‎04-17-2024 06:21 AM

@Ben_Barker it does. Our company actually created a Catalog Item where the user can request admin access and this is limited to a 4 hour time limit. We then add the user to a designed group that has the admin roles needed. When the time is up, it removes them from the group. This way we have control over the admin access through approvals and review for audit. 

0 Helpfuls
Kopal Garg
Tera Expert
‎11-23-2024 02:35 PM

Thank for sharing Mark. Its a great add on and hopefully it will tie back to off boarding journey OOB

anubhavkapoor76
ServiceNow Employee
ServiceNow Employee
‎12-12-2024 07:03 AM

@Mark Roethof - Great piece of article! The artifacts responsible for making this happen is one of the Script Includes (TimeLimitedRoleConfigHelper) and business rule (time-limited roles duration limit) and a couple of system properties (not accessible within instance).

 

Cheers!

Anu

0 Helpfuls
Mark Roethof
Tera Patron
Tera Patron
‎12-12-2024 07:44 AM

@anubhavkapoor76 Yes, a lot I described in this article:
- 2024-07-22 - Article - Request Time-Limited User Roles for other Roles than admin/impersonator/snc_read_only

0 Helpfuls
Version history
Last update:
‎07-26-2024 07:47 AM
Updated by:
Tera Patron
Contributors