User_admin cannot add certain roles such as CSM roles

Go to solution
Steve Kelly
Mega Sage

‎03-03-2020 08:15 AM

We have a need for a user with the 'user_admin' role to be able to grant CSM roles to CSM licensed users. However, the user in question gets a not authorized message when trying to add any CSM roles to any users. The user can add the 'itil' role to any users with no issues.

I see the sys_user_has_role table has a create ACL with a scripted condition like so:

var rmAPI = new SNC.RoleManagementAPI();
if (!rmAPI.isAllowedToGrantRole(current.role))
	answer = false;
else
	answer = true;

Does anyone have more info on this functionality? I could not find a script include related to this, so it may be hidden. I'm wondering if it is possible for us to allow user administrators with the 'user_admin' role to manage CSM roles in addition to ITSM roles. I'm also curious as to what dictates what roles the 'user_admin' role is able to manage or not manage.

Thanks,

Steve

0 Helpfuls
  • 2,309 Views
1 ACCEPTED SOLUTION

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee

‎03-03-2020 10:54 AM

I believe you are running into the rule "Ensure user has Application Admin role".  CSM is a scoped application, so the user granting the role needs to be an admin in that scope.  I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.

View solution in original post

6 REPLIES 6

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee

‎03-03-2020 10:54 AM

I believe you are running into the rule "Ensure user has Application Admin role".  CSM is a scoped application, so the user granting the role needs to be an admin in that scope.  I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.

Go to solution
Steve Kelly
Mega Sage
In response to Jeff Currier

‎03-03-2020 01:32 PM

Hi Jeff,

Good call, that worked! Do you know of any workaround to this with cross-scope access or anything? We would rather not consume a CSM license for role management only.

Thanks,

Steve

0 Helpfuls

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee
In response to Steve Kelly

‎03-03-2020 04:44 PM

This is tricky.  Usually admin accounts don't count for subscriptions, but I think that role would.  I think you should talk to your ServiceNow account team as they are going to be the final word on this anyway.   You may be able to create a CSM_Admin role which can only create users.  If that role is associated with the scope it should be able to do it, you just wasn't to make sure that wouldn't consume a subscription.

0 Helpfuls

Go to solution
suresh kumar3
Tera Contributor
In response to Jeff Currier

‎06-29-2021 04:38 AM

Hi Jeff,

Could you please suggest me how to enable this for custom role?

Let's say I have created a custom role sn_customerservice.csm_bau, instead of using "sn_customerservice_manager"  we want to use a custom role because we don't want to show CSM modules to the "BAU Team".

Thanks

Suresh

0 Helpfuls