- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 08:15 AM
We have a need for a user with the 'user_admin' role to be able to grant CSM roles to CSM licensed users. However, the user in question gets a not authorized message when trying to add any CSM roles to any users. The user can add the 'itil' role to any users with no issues.
I see the sys_user_has_role table has a create ACL with a scripted condition like so:
var rmAPI = new SNC.RoleManagementAPI();
if (!rmAPI.isAllowedToGrantRole(current.role))
answer = false;
else
answer = true;
Does anyone have more info on this functionality? I could not find a script include related to this, so it may be hidden. I'm wondering if it is possible for us to allow user administrators with the 'user_admin' role to manage CSM roles in addition to ITSM roles. I'm also curious as to what dictates what roles the 'user_admin' role is able to manage or not manage.
Thanks,
Steve
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 10:54 AM
I believe you are running into the rule "Ensure user has Application Admin role". CSM is a scoped application, so the user granting the role needs to be an admin in that scope. I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 10:54 AM
I believe you are running into the rule "Ensure user has Application Admin role". CSM is a scoped application, so the user granting the role needs to be an admin in that scope. I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 01:32 PM
Hi Jeff,
Good call, that worked! Do you know of any workaround to this with cross-scope access or anything? We would rather not consume a CSM license for role management only.
Thanks,
Steve

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2020 04:44 PM
This is tricky. Usually admin accounts don't count for subscriptions, but I think that role would. I think you should talk to your ServiceNow account team as they are going to be the final word on this anyway. You may be able to create a CSM_Admin role which can only create users. If that role is associated with the scope it should be able to do it, you just wasn't to make sure that wouldn't consume a subscription.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2021 04:38 AM
Hi Jeff,
Could you please suggest me how to enable this for custom role?
Let's say I have created a custom role sn_customerservice.csm_bau, instead of using "sn_customerservice_manager" we want to use a custom role because we don't want to show CSM modules to the "BAU Team".
Thanks
Suresh