- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2026 03:26 PM
Not a question.
Discover how read-only admin access in ServiceNow lets you share full platform visibility without risk.
Have you ever needed read-only admin?
Where the rules are real, you'll find me
Solved! Go to Solution.
- 1,911 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2026 02:10 PM
Ahoy @EgSnow, thank for taking the time to review my posts, it's really appreciated! Do you also have any actual evidence for that or is this just an assumption?
Because I tested it myself again to demonstrate you what I tried to explain above - you simply CANNOT get stronger permission by impersonation than what you currently have assigned, you just don't.
Here is what I did and I invite you to validate from your end as well, create two users:
- "User_a": admin-read-only
- admin + snc_read_only
- "User_b": admin-standard
- admin only
Then I logged as User_a (admin-read-only) and impersonated the User_b (full admin) and checked random records as seen below.
A business rule:
A user profile:
A location record:
Also tried to access background script:
Read-only access is still read-only and isn't overridden by impersonation and the above proves it.
I'm happy to discuss this further if you have something concrete to back up your claim but but it looks more like unvalidated assumptions than anything actually tested and verified from your end, what do you reckon?
Where the rules are real, you'll find me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-06-2026 06:26 AM
Thankyou for information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2026 07:26 PM
This situation can only be bypassed if the user admin and read-only roles impersonate a user with admin privileges. In that case, the user admin and read-only would effectively become a full admin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2026 12:24 AM
Ahoy @EgSnow,
thank you for your comment, I am quite not sure I understand you but it seems that you claim that user_admin and read_only will allow you to get full admin rights by impersonation. Is that what you are saying? Because it is not correct and I validated that, see below.
In principal, you cannot impersonate for higher role than you have assigned yourself, it is a security measure.
You mentioned user_admin - I created a dummy user with that role, assigned it also itil to access backend and impersonator role to be able impersonating.
See on the left, dummy user with 3 roles (+ auto-inherited many more), then I created credentials for them to login locally for that user and tried to impersonate for an admin - not possible:
But an admin can impersonate for another admin - OK:
Is that what you meant or could you possibly elaborate a bit more on what you wanted to say?
Where the rules are real, you'll find me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2026 12:39 PM
Hello Tera Patron,
I’d like to clarify my use case once more.
User_a has both "admin" and "snc_read_only" roles, while User_b only has the "admin" role.
When User_a impersonates User_b, User_a is granted writing permissions.
I hope this explanation helps clarify the scenario. So, there is a little risk.
Kind Regards