Lookout for Time-Limited User Roles - Washington D.C.

Uttkarsh S
Tera Contributor

‎04-01-2024 01:41 AM

Hello community,

 

Hope everyone is doing great!

 

As Service-now rolls out Washington DC release, the most talked about feature in this release is 'Time-Limited User Roles'.

 

How does it work?

Well, to put together in a single line, it is a feature that provides a user with a particular role for a limited amount of time which you define. To safeguard this feature so that it’s not utilized incorrectly this feature has a built-in option so that the role cannot be provided for more than 2 weeks.

Although, it’s very rare that someone will misuse this feature, it is a two-edged sword for ‘admin’ role. Why is that? Let’s dive in with an example.

 

Let’s say we have @Chuck, who came as a senior developer to conduct a maintenance over the weekend. In order to complete proper maintenance services, Chuck needs to have administrative privileges during the span of weekend, so he’s been granted admin role with time-limited user roles feature. Be mindful that this has to be only for the weekend.

Come weekend, Chuck starts to work on the maintenance where he got to know that he’s been assigned time-limited admin role. Here’s how:

 

UttkarshS_0-1711955800122.png

 

Now, Chuck being a naughty developer with a sharp mind wants to explore what it is and finds out about time-limited roles. He then goes to the module and opens the record which has his name on it and tries to extend the time period to more than just the weekend (let’s say for a month). He gets an invalid update error quoting time-limited role may not be active for more than 2 weeks.

 

UttkarshS_1-1711955800124.png

 

Chuck is intrigued now. He goes on to digging how it’s working and finds out the business rule stopping that update and changes the valid period from 2 weeks to 7 weeks. See comparison below:

 

UttkarshS_2-1711955800129.png

 

 

UttkarshS_3-1711955800137.png

 

 

After that he goes on to time-limited roles record and extends the time period for a month. Voila, the role which was provided for 2 days got extended for a month now.

 

UttkarshS_4-1711955800138.png

 

 

While many organizations having a proper practice in place, the chances of this happening is very thin but still it’s a feature to lookout for. The person having an admin role via time-limited user roles is like a dark knight in the kingdom. And since few of the roles in Service-now incur licensing, this might lead to paying extra if not monitored properly.

 

Please give a thumbs up and mark it helpful if you like this article.

Cheers,

Uttkarsh

  • 1,435 Views
7 REPLIES 7

Paresh Raniga2
Tera Contributor

‎05-09-2024 08:48 AM

Hello,

We have just upgraded to Washington DC release. When i access the Time-Limited Role form and click on create new, I click on the look up on "Role" and can only see three roles available, admin, impersonator and snc_read_only. How do i get the itil role to be selectable. Time limited role.PNG

 

indusk
Tera Contributor
In response to Paresh Raniga2

‎06-03-2024 05:07 PM

You can change glide.security.timelimited.roles.allowed_roles in sys_properties to include itil. This will allow ITIL to be selected. 

 

 

0 Helpfuls

Paresh Raniga2
Tera Contributor
In response to indusk

‎06-04-2024 12:23 AM

Thank you!

When I go into this property, its read only :(, how can i update it?, i have elevated my.

 

PareshRaniga2_0-1717485703173.png

 

 

0 Helpfuls

Uttkarsh S
Tera Contributor
In response to Paresh Raniga2

‎06-04-2024 01:05 AM

Hi @Paresh Raniga2,

 

The property has write role set as 'maint', which means any write functionality for this property is reserved for ServiceNow folks to edit. I would suggest to raise a HI ticket and ask them to add the role in the system property and they will do it.

 

Please mark my answer correct/helpful if it helps you solve your issue.

Cheers,
Uttkarsh