User_admin cannot add certain roles such as CSM roles

Go to solution
Steve Kelly
Mega Sage

‎03-03-2020 08:15 AM

We have a need for a user with the 'user_admin' role to be able to grant CSM roles to CSM licensed users. However, the user in question gets a not authorized message when trying to add any CSM roles to any users. The user can add the 'itil' role to any users with no issues.

I see the sys_user_has_role table has a create ACL with a scripted condition like so:

var rmAPI = new SNC.RoleManagementAPI();
if (!rmAPI.isAllowedToGrantRole(current.role))
	answer = false;
else
	answer = true;

Does anyone have more info on this functionality? I could not find a script include related to this, so it may be hidden. I'm wondering if it is possible for us to allow user administrators with the 'user_admin' role to manage CSM roles in addition to ITSM roles. I'm also curious as to what dictates what roles the 'user_admin' role is able to manage or not manage.

Thanks,

Steve

0 Helpfuls
  • 2,310 Views
1 ACCEPTED SOLUTION

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee

‎03-03-2020 10:54 AM

I believe you are running into the rule "Ensure user has Application Admin role".  CSM is a scoped application, so the user granting the role needs to be an admin in that scope.  I believe you you give that user "sn_customerservice_manager", then they could add that role to another user.

View solution in original post

6 REPLIES 6

Go to solution
Jeff Currier
ServiceNow Employee
ServiceNow Employee
In response to suresh kumar3

‎06-29-2021 06:05 AM

You want to use role delegation Role Delegators module To view existing role delegators and the groups in which they can delegate roles, navigate to User Administration > Role Delegators.
0 Helpfuls

Go to solution
art_anderson2
Tera Expert

‎08-30-2024 05:13 AM

Good day,

I know this is an old post but I ran across a very similar issue.  Mine had nothing to little to do with ACLs but was related to role inheritance. Running "Debug Security" did not reveal very well what I was hunting for, it basically showed that I failed a record context, being the "Group Name" i was trying to manage.

 

In my case we are using a role: "sn_slm.fulfiller" and "sn_slm.contact"  both of these roles contained either "sn_doc.reader" or "sn_doc.writer".  I do see that in other instances this is inherited by other roles, but not in my case.

 

Now in inspecting the roles of "sn_doc.reader" and "sn_doc.writer" I found that these roles may only be granted if the grantor ("Assignable by") has "sn_doc.admin".  I added "sn_doc.admin" to my "Access administrator" group roles and this now allows the access folks to manage the groups.

 

I found this by following a Role Tree and giving me the info I needed.  Took me a while to find this restriction so I hope this helps someone else.

 

Thanks,

Art Anderson

Preview file
16 KB
0 Helpfuls