In London version, Unable to add security_admin

ent · ‎01-16-2019

When adding security_admin role to a user, one must elevate his security privilege. How does this validation work? Does any business rule control this? In London, we are getting error - 'User admin without admin/security_admin role is not allowed to grant admin/security_admin-containing roles or groups.' when trying to add security_admin role.

sachin_namjoshi · ‎01-16-2019

In the base system, only the default System Administrator (admin) user has the security_admin role. Since it requires elevating privileges, the admin user does not have this role at login. After elevating privileges, the admin user has the security_admin role for the duration of the user session.

https://docs.servicenow.com/bundle/london-platform-administration/page/administer/security/concept/security-admin-role.html

Regards,

Sachin

ent · ‎01-16-2019

We actually have a group that contains both admin and security_admin role, if a user that already has existing admin and security admin tries to add another user to this group without elevating his privilege his getting "'User admin without admin/security_admin role is not allowed to grant admin/security_admin-containing roles or groups.'" This only happened in London.

Johnnie O_ · ‎01-16-2019

I think you just answered your own question there:

' if a user that already has existing admin and security admin tries to add another user to this group without elevating his privilege his getting "'User admin without admin/security_admin role is not allowed to grant admin/security_admin-containing roles or groups."'

In London you have to have the secuirty_admin role and be in the elevated state to add a user to a group containing secuirty_admin

ent · ‎01-16-2019

Yes, what control this validation - the need to elevate privilege? Business rule? ACL? Prior to London we were able to add new security admins without elevating privilege.