Review admin roles

Cynthia19
Tera Contributor

Hello admins, developers and architects 

 

I am looking for a way to review admin roles in our instance and hopefully create some documentation that will assist in determining permission

 

The goal is to roles that are grandfathered and those that are longer being used, and also to determine those roles that are over privileged, so we can remove those individuals who should not have the admin role

 

I would like to be able to pull 

  • A description of the role
  • Groups assigned the role
  • Recommendation if the role is assigned out appropriately

is this something I can pull easily

 

Thank you, fellows. 

4 REPLIES 4

Bert_c1
Kilo Patron

Hi, I replied to the same question here:

https://www.servicenow.com/community/developer-forum/admin-roles-with-it-hierarchies/m-p/2357800/pag...

but no feedback on if that addressed the requestor's needs.

 

You should have the "Contextual Security: Role Management V2" plugin activated.  With that, you can see the Inheritance map on any sys_user_has_role record (search those with the 'admin' role). None show in my instance and 'admin' is not inherited from any group or other role in my instance.

 

for your 3rd bullet, if that plugin is activated, then the Support team can run a 'verify' role inheritance script to check and provide the report. You would need to create a Support case for that.

@Bert_c1 

 

I do have that Contextual Securityy: Role Management V2 installed, could you assist with how I can pull the report and how I can see the inheritance map if you dont mind.

Bert_c1
Kilo Patron

@Cynthia19 

 

You go to a list view of the sys_user_has_role table, filter based on role and/or user. Make sure the Inheritance Map field is included in the columns.  If there is an 'Inheritance count' value (the role assignment was inherited from another role or group), the 'Inheritance map' column will have a link to see that.

 

What I posted in the other thread follows, to see if the 'admin' role is in some "inheritance hierarchy".  OOB, the 'admin' role is not inherited. However, previous instance admins could have added that role to another role and/or group. So it is inherited by assigning the parent role/group to a user.  The following should help with determining that.

 

<post>

https://[instance_url]/sys_user_role_list.do?sysparm_query=includes_roles!%3DNULL&sysparm_view=
to see those roles that include other roles. See if 'admin' is in that list in the 'Includes roles' field. If so, get the list 'Names'. consider those that "parent" of the 'admin' role. Then use those 'Name' values to search the same table again with filter "Include roles", "is one of", and the list of names. Consider those the grand-parents of 'admin'. Repeat until no records are returned.

 

There is also the sys_user_role_contains table that when querried for 'Contains', 'is', 'admin', the same roles should show. If you see any, use the 'Role' values to search again as the 'Contains' value, these 'Roles" would be "grand-parents" of admin.

 

For Group hierarchy, go to:
https://[instance_url]/sys_group_has_role_list.do?sysparm_query=role%3D2831a114c611228501d4ea6c309d626d&sysparm_view=
(where '2831a114c611228501d4ea6c309d626d' is the sys_id value of the sys_user_role record for 'admin')
If there are any and Inherit is true, then use those group name values to search the sys_user_group table and see if any have a 'parent'. If so, use those group name values to search again (to find grand-parents). Continue until you get no results.

</post>

Dorian
Tera Contributor

Hello Cynthia,

 

In addition to others responses, there's the Instance Security Center where there's a dashboard for User Metrics with a report for Users with High Privilege Roles (I join a screenshot of my dev instance bellow). 

Capture d’écran 2022-10-23 à 15.52.49.png

 

PS: be careful, if you use announcements, one of it activated with this portal break others (only need to deactivate it).

 

I hope it will help you
Regards