Roles that are able to approve requests

Naomi5 · ‎02-09-2022

Hi all,

I have a doubt on which roles can approve, as OOB functionality.

My current understanding is:
- ITIL user can approve any request, as long as it's assigned to them
- Admin can approve anything, even if it was not assigned to them

Is that correct? How about approver_user role? What does it do exactly? I've read up few posts and docs about it... and I couldn't understand.

From checking with PDI I found that:
- approver_user user cannot approve request, unless it's assigned to them

Wouldn't that be kind of redundant with ITIL role?

Last questions ... are there any role (other than admin) that can approve requests that is not assigned to them?

TIA!

Allen Andreas · ‎02-09-2022

Hello,

A lot of these questions can be answered by viewing the sysapproval_approver table's ACLs. Check those out for clarification.

Just because they are itil doesn't mean that they should all of a sudden be able to do more (if that was the case, itil users would be running around the system approving all sorts of stuff just to get approvals pushed through). itil role users are the same as a basic approver, meaning, they have no extra permission for approvals beyond approving something assigned to them. Same as anyone else.

Admin/approval admin are the only roles who can just approve anything for anyone.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

Allen Andreas · ‎02-09-2022

Hello,

A lot of these questions can be answered by viewing the sysapproval_approver table's ACLs. Check those out for clarification.

Just because they are itil doesn't mean that they should all of a sudden be able to do more (if that was the case, itil users would be running around the system approving all sorts of stuff just to get approvals pushed through). itil role users are the same as a basic approver, meaning, they have no extra permission for approvals beyond approving something assigned to them. Same as anyone else.

Admin/approval admin are the only roles who can just approve anything for anyone.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Naomi5 · ‎02-09-2022

Thank you so much! Looking into this right now

Allen Andreas · ‎02-09-2022

You're welcome 🙂

Keep in mind that using the approval system is technically a licensed activity. Meaning the user would/should have the approval_user role or business_stakeholder role (as that is the newer version) or above.

If you have any questions about roles and who can do 'x' or 'y', it's highly recommended to speak to your ServiceNow Account Executive to ensure you're doing things in a way that won't get you in to any financial implications when ServiceNow conducts their audits at contract renewal time (or perhaps in-between as well).

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

cynlink1 · ‎08-12-2022

Hi Allen,

When I view our ACLs, I can't see where the approver_user role is evaluated. Instead, I see calls to script includes and functions.

Can a user without the approver_user role, approve service catalog requests if the approval is assigned or delegated to them without being assigned the 'approver_user' role? If not, can you point me to where the 'approver_user' role is being evaluated to allow the activity?

Example script condition from write ACL:

answer = gs.hasRole('approval_admin') || gs.hasRole('itil') || gs.hasRole('catalog') || (new ApprovalDelegationUtil().isMyApproval(current));

Many thanks,

Cyn