We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

Allow only the Entra integration user to update the read-only Manager field

Priya Singh 2 2
Tera Contributor
Currently, the Manager field on the User [sys_user] table is maintained by an external source and is configured as read-only. As part of the Entra integration enhancement, this field needs to be populated during user creation rather than waiting for a subsequent update process.
 
The challenge is that write access needs to be granted exclusively to the Entra integration account for updating the Manager field during user creation. Even though the integration account has the admin role, the requirement is to prevent all other users, including administrators, from modifying this field manually while still allowing the Entra integration to update it. The current access controls are not enforcing this distinction as expected and require further evaluation.
1 REPLY 1

Hanna_G
Kilo Sage

Hi  @Priya Singh 2 2 

Admin users will override any of the ACL's that you put upon the global records - you may have to handle this through process with the admin users, as opposed to adding unnecessary complexity through scripting. 


To investigate why other users can do this and which ACLs are allowing this then @Sagar Pagar has done an excellent article on how to debug ACLs: How to Debug the ACLs Like a Pro developer in Serv... - ServiceNow Community

 

This should help you work out what you need to change. You could consider creating a role for the Entra integration account and adding that onto the Manager field and create an ACL for must have this role. But you'll need to understand the other ACLs that manage the access there.