Review admin roles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2022 09:34 PM
Hello admins, developers and architects
I am looking for a way to review admin roles in our instance and hopefully create some documentation that will assist in determining permission
The goal is to roles that are grandfathered and those that are longer being used, and also to determine those roles that are over privileged, so we can remove those individuals who should not have the admin role
I would like to be able to pull
- A description of the role
- Groups assigned the role
- Recommendation if the role is assigned out appropriately
is this something I can pull easily
Thank you, fellows.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 07:49 AM
Hi, I replied to the same question here:
but no feedback on if that addressed the requestor's needs.
You should have the "Contextual Security: Role Management V2" plugin activated. With that, you can see the Inheritance map on any sys_user_has_role record (search those with the 'admin' role). None show in my instance and 'admin' is not inherited from any group or other role in my instance.
for your 3rd bullet, if that plugin is activated, then the Support team can run a 'verify' role inheritance script to check and provide the report. You would need to create a Support case for that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 08:37 AM
I do have that Contextual Securityy: Role Management V2 installed, could you assist with how I can pull the report and how I can see the inheritance map if you dont mind.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2022 01:02 PM
You go to a list view of the sys_user_has_role table, filter based on role and/or user. Make sure the Inheritance Map field is included in the columns. If there is an 'Inheritance count' value (the role assignment was inherited from another role or group), the 'Inheritance map' column will have a link to see that.
What I posted in the other thread follows, to see if the 'admin' role is in some "inheritance hierarchy". OOB, the 'admin' role is not inherited. However, previous instance admins could have added that role to another role and/or group. So it is inherited by assigning the parent role/group to a user. The following should help with determining that.
<post>
https://[instance_url]/sys_user_role_list.do?sysparm_query=includes_roles!%3DNULL&sysparm_view=
to see those roles that include other roles. See if 'admin' is in that list in the 'Includes roles' field. If so, get the list 'Names'. consider those that "parent" of the 'admin' role. Then use those 'Name' values to search the same table again with filter "Include roles", "is one of", and the list of names. Consider those the grand-parents of 'admin'. Repeat until no records are returned.
There is also the sys_user_role_contains table that when querried for 'Contains', 'is', 'admin', the same roles should show. If you see any, use the 'Role' values to search again as the 'Contains' value, these 'Roles" would be "grand-parents" of admin.
For Group hierarchy, go to:
https://[instance_url]/sys_group_has_role_list.do?sysparm_query=role%3D2831a114c611228501d4ea6c309d626d&sysparm_view=
(where '2831a114c611228501d4ea6c309d626d' is the sys_id value of the sys_user_role record for 'admin')
If there are any and Inherit is true, then use those group name values to search the sys_user_group table and see if any have a 'parent'. If so, use those group name values to search again (to find grand-parents). Continue until you get no results.
</post>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2022 06:57 AM
Hello Cynthia,
In addition to others responses, there's the Instance Security Center where there's a dashboard for User Metrics with a report for Users with High Privilege Roles (I join a screenshot of my dev instance bellow).
PS: be careful, if you use announcements, one of it activated with this portal break others (only need to deactivate it).
I hope it will help you
Regards