[GF#6] Read-Only Admin

Go to solution
GlideFather
Tera Patron

‎01-14-2026 03:26 PM

Not a question. 

Discover how read-only admin access in ServiceNow lets you share full platform visibility without risk.

 

GlideFather_0-1768432855880.png
GlideFather_1-1768432860640.png
GlideFather_2-1768432864683.png

GlideFather_3-1768432870212.png

 

Have you ever needed read-only admin?

_____
Answers generated by GlideFather. Check for accuracy.

  • 1,130 Views
1 ACCEPTED SOLUTION

Go to solution
GlideFather
Tera Patron
In response to EgSnow

53m ago

Ahoy @EgSnow, thank for taking the time to review my posts, it's really appreciated! Do you also have any actual evidence for that or is this just an assumption?

 

Because I tested it myself again to demonstrate you what I tried to explain above - you simply CANNOT get stronger permission by impersonation than what you currently have assigned, you just don't.

 

Here is what I did and I invite you to validate from your end as well, create two users:

  • "User_a": admin-read-only
    • admin + snc_read_only
  • "User_b": admin-standard
    • admin only

GlideFather_0-1779483195054.png

 

Then I logged as User_a (admin-read-only) and impersonated the User_b (full admin) and checked random records as seen below.

 

A business rule:

Screenshot 2026-05-22 at 21.45.20.png

 

A user profile:

GlideFather_1-1779483327270.png

 

A location record:

GlideFather_2-1779483330811.png

 

Also tried to access background script:

GlideFather_3-1779483334111.png

 

Read-only access is still read-only and isn't overridden by impersonation and the above proves it.

 

I'm happy to discuss this further if you have something concrete to back up your claim but but it looks more like unvalidated assumptions than anything actually tested and verified from your end, what do you reckon?

_____
Answers generated by GlideFather. Check for accuracy.

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
SebinS
Tera Contributor

2 weeks ago

Thankyou for information.

0 Helpfuls

Go to solution
EgSnow
Tera Contributor

2 weeks ago

This situation can only be bypassed if the user admin and read-only roles impersonate a user with admin privileges. In that case, the user admin and read-only would effectively become a full admin.

0 Helpfuls

Go to solution
GlideFather
Tera Patron
In response to EgSnow

2 weeks ago

Ahoy @EgSnow,

 

thank you for your comment, I am quite not sure I understand you but it seems that you claim that user_admin and read_only will allow you to get full admin rights by impersonation. Is that what you are saying? Because it is not correct and I validated that, see below.

 

In principal, you cannot impersonate for higher role than you have assigned yourself, it is a security measure.

 

You mentioned user_admin - I created a dummy user with that role, assigned it also itil to access backend and impersonator role to be able impersonating.

 

See on the left, dummy user with 3 roles (+ auto-inherited many more), then I created credentials for them to login locally for that user and tried to impersonate for an admin - not possible:

 

GlideFather_0-1778224781163.png

 

But an admin can impersonate for another admin - OK:

GlideFather_1-1778224864072.png

 

Is that what you meant or could you possibly elaborate a bit more on what you wanted to say?

_____
Answers generated by GlideFather. Check for accuracy.

0 Helpfuls

Go to solution
EgSnow
Tera Contributor
In response to GlideFather

2 hours ago

Hello Tera Patron,

I’d like to clarify my use case once more.

User_a has both "admin" and "snc_read_only" roles, while User_b only has the "admin" role.

When User_a impersonates User_b, User_a is granted writing permissions.

I hope this explanation helps clarify the scenario. So, there is a little risk.

Kind Regards

 

 

0 Helpfuls