Anything special for snc_internal role compared to other roles like cmdb_read?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2024 06:28 AM
Anything special for snc_internal role compared to other roles like cmdb_read?
Per our testing, even snc_internal role has been granted delete/write permission in ACL, the user with snc_internal role still can’t delete/write the record, e.g. task_sla table grants snc_internal role with delete ACL, but a user with snc_internal and itil role can’t delete it. If I add itil role to the delete ACL, then the delete works for the user with itil role. So seems the snc_internal role doesn’t really take effect. Why?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2024 09:11 AM
Hi Lisa,
The snc_internal is - not designed to be assigned to regular users and doesn't have direct permissions in the same way as other roles by default. The restrictions are behind the scenes based on licensing of users. This role is not tied to user-level access.
Furthermore, ACLs are not easy to predict for any outsider, ACLs behave holistically by verifying from most specific to most generic. Since ITIL is a licensed user for CRUD operations and hence Delete might work for this role containing user.
If my response proves useful, please mark it "Accept as Solution" and "Helpful". This action benefits both the community and me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2024 10:44 AM
Hello Lisa71,
The behavior you're seeing with the snc_internal role not working as expected in ACLs is likely due to how ServiceNow handles role hierarchies and role-specific permissions.
The snc_internal role is typically used for internal system operations and isn't generally intended for user-initiated actions like modifying or deleting records through the UI. Even if you grant delete/write ACLs to the snc_internal role, it may not apply in practice because the role is mainly reserved for backend processes rather than direct user operations.
ServiceNow ACLs evaluate user roles explicitly, and if your ACL allows delete for roles like itil but not for snc_internal, then even if snc_internal has the delete permission, it may not work as expected. This is because itil is a user-facing role designed for these kinds of actions, while snc_internal isn't typically considered for such operations.
To resolve this, you'll need to explicitly add roles like itil or other user-facing roles to the ACLs for CRUD operations. Relying on snc_internal alone won’t work as it's intended more for internal system tasks rather than manual user actions.
NB: If my response proves useful, please mark it "Accept as Solution" and "Helpful". This action benefits both the community and me.
