Some roles are missing when requesting the [sys_user_role] table without an admin account
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2023 12:04 PM
Hello community,
After requesting the [sys_user_role] table with a non-admin account, some roles are missing like the admin one for example. But doing the same request with an admin account, I get the results wanted listing every roles.
I've tried following this to solve my issue but it didn't work :
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0753001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2023 01:52 PM
Hi Bastien,
This behavior is expected as the [sys_user_role] table is protected by role-based ACLs, which means that the visibility of the records in this table depends on the roles that are assigned to the user who is requesting the data.
In your case, it seems that the non-admin account that you are using does not have the necessary roles assigned to view all the records in the [sys_user_role] table, including the admin role.
To verify this, you can check the role-based ACLs that are defined on the [sys_user_role] table by navigating to "System Security > Access Control > [Roles]" and selecting the [sys_user_role] table. This will show you the roles that have access to the table and the specific access they have, such as read, write, create, or delete.
If you need to grant access to the admin role for the non-admin account, you can do so by adding the admin role to the user's list of roles. Alternatively, you can create a new role-based ACL that grants read access to the [sys_user_role] table for the non-admin role or any other role that needs access.
Thanks,
Rahul Kumar
Thanks,
Rahul Kumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2023 06:28 AM
Hello,
Thank you for your answer. Creating a new ACL granting read access to the [sys_user_role] solved some of my issues.
But the request on "api/now/table/sys_user_role" is still missing some roles when requested with a non-admin account.
And they all seem to be in specific scopes (Templated Snippets, Employee Center Core, Employee Profile...).
Which access lets an admin account have read rights for the roles in those scopes but not a non-admin account even if it has read access on [sys_user_role] ?
Thanks
