- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-28-2023 12:32 PM - edited ‎07-28-2023 12:33 PM
Hello All,
I have a group called "ServiceNow Support" that contains the admin, security_admin and itil roles assigned to it. when I add users to it, including myself we're not inheriting the roles, I have to add directly to the user record. I'm currently on the Utah version but I think it's been happening before that.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-29-2023 07:30 AM - edited ‎07-29-2023 10:10 AM
Hi,
I don't see bug here. But check if the "Contextual Security: Role Management" and "Contextual Security: Role Management V2" plugins are activated. And see LearnUseThrive's comment on the security_admin role needing to be assigned by an admin user with that role.
If the two plugins are activated (These are present OOB on new instances since some time ago) then a 'fix script' is needed to check integrity of sys_user_has_role. And only Servicenow Support can run that to repair the table. They can also run a 'check' first to get what needs changing, so the customer can review proposed changes before any are made by the fix script. I have seen this fix many role inheritance problems over time.
check for the system property name 'glide.role_management.use.inh_count' should be present and set to 'true'.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-28-2023 05:22 PM
Hi Edward,
I tried creating a group with those roles (couldn't select security_admin). and I added a user to that group, and that user got those roles plus more. I suspect some "corruption" in the 'sys_user_has_role' table. And to fix that a Support Case is needed. They have tool to check in integrity of Role Inheritance and perform any needed repair.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-28-2023 05:31 PM - edited ‎07-31-2023 07:24 AM
admin and security_admin can't be granted through group inheritance and has to be granted by an admin that has those roles. itil can, but if you're importing these users, check this: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0756472
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-30-2023 07:20 AM
Hello LearnUseThrive
I believe the admin role can be granted through group inheritance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-30-2023 07:56 AM
Hi Edward,
My testing verified 'admin' role can be granted through group inheritance. However, 'security_admin' can't. That role allows access to ACLs (for one) and that requires care.
