Roles for Service Catalog and Flow "Developer"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2022 12:47 PM
Hi all,
I am a relatively new ServiceNow Administrator. I am working with a Developer who will be tasked with creating new catalog items and creating automation (Flows) to process any requests/incidents. I don't think he's ready to do any scripting for catalog items right now but that might be requested later... He currently has ITIL role from his group membership in ServiceNow, but what other OOTB roles should be granted?
I was thinking he needs catalog_admin role to create/manage catalog items, but what other roles what he need for Flow Designer? By impersonating him, it seems OOTB the ITIL role lets him create new Flows but he cannot "activate" or "publish" flows. Is there any other role besides "admin" that would let him create/manage/activate all parts of a Flow (Flow/Subflow/Actions, etc.)?
Basically I would prefer to not grant him admin role even though it's in our Dev environment, if it can be avoided. Please do share any recommendations you have for roles to assign or setting up access for a developer in my scenario.
Best,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2022 01:00 PM
The OOTB ITIL role should not allow him to create new flows. Can you look into seeing if he already has any other roles?
The roles that are needed for flow designer are
- flow_designer: create and edit flows
- flow_operator: view flow execution details, dashboards, and logs
- action_designer: create and edit custom actions
But I think he'll need the admin role anyway to actually capture his development in an update set.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2022 02:04 PM
Thanks Mike, turns out I was looking at another IT dept user with very similar name that had both itil and flow_designer roles already.... So I added flow_designer role to the group of the developer in question and now I can access Flow Designer when impersonating as him.
It seems like at least catalog_admin + flow_designer roles must be assigned to the developer at the minimum.
That is a great point about access to manage update sets so he can capture his work... Is there any other role besides admin role that can manage update sets? I prefer not to give admin role to him so let me know if you or anyone else can think of alternatives to give access to manage update sets...
Thanks again,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2022 02:14 PM
He'll need the admin role to access update sets.
But there's a feature in Tokyo, where if you use catalog builder, update sets are automatically created for each catalog item that is "published". This might work for your use case if you're on Tokyo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2022 02:28 PM
I removed the flow_designer role from the initial user (not the Developer) that I'll call "UserA". And the UserA still had access for Flow Designer. I was scratching my head as to why the user still had access :)...ended up using Role Inheritance Map on the sys_user_has_role table to track down that the UserA has a catalog_editor role that has flow_designer role in it... And that catalog_editor was nested in a series of other roles! Not sure if that was OOTB and set up by a previous administrator :).
We are still on San Diego so it looks like I may have to just grant admin role to the developer and be done with it. I know that will cause everyone less headache but was trying to follow the good ol' "least privilege" concept for access. Thanks again.
Chris
Thanks,
-Chris
