User_admin cannot add certain roles such as CSM roles

Steve Kelly
Mega Sage

We have a need for a user with the 'user_admin' role to be able to grant CSM roles to CSM licensed users. However, the user in question gets a not authorized message when trying to add any CSM roles to any users. The user can add the 'itil' role to any users with no issues.

I see the sys_user_has_role table has a create ACL with a scripted condition like so:

var rmAPI = new SNC.RoleManagementAPI();
if (!rmAPI.isAllowedToGrantRole(current.role))
	answer = false;
else
	answer = true;

Does anyone have more info on this functionality? I could not find a script include related to this, so it may be hidden. I'm wondering if it is possible for us to allow user administrators with the 'user_admin' role to manage CSM roles in addition to ITSM roles. I'm also curious as to what dictates what roles the 'user_admin' role is able to manage or not manage.

Thanks,

Steve

1 ACCEPTED SOLUTION

Jeff Currier
ServiceNow Employee
ServiceNow Employee

I believe you are running into the rule "Ensure user has Application Admin role".  CSM is a scoped application, so the user granting the role needs to be an admin in that scope.  I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.

View solution in original post

6 REPLIES 6

Jeff Currier
ServiceNow Employee
ServiceNow Employee

I believe you are running into the rule "Ensure user has Application Admin role".  CSM is a scoped application, so the user granting the role needs to be an admin in that scope.  I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.

Hi Jeff,

Good call, that worked! Do you know of any workaround to this with cross-scope access or anything? We would rather not consume a CSM license for role management only.

Thanks,

Steve

This is tricky.  Usually admin accounts don't count for subscriptions, but I think that role would.  I think you should talk to your ServiceNow account team as they are going to be the final word on this anyway.   You may be able to create a CSM_Admin role which can only create users.  If that role is associated with the scope it should be able to do it, you just wasn't to make sure that wouldn't consume a subscription.

Hi Jeff,

Could you please suggest me how to enable this for custom role?

Let's say I have created a custom role sn_customerservice.csm_bau, instead of using "sn_customerservice_manager"  we want to use a custom role because we don't want to show CSM modules to the "BAU Team".

Thanks

Suresh