Lookout for Time-Limited User Roles - Washington D.C.

Uttkarsh S
Tera Contributor

‎04-01-2024 01:41 AM

Hello community,

 

Hope everyone is doing great!

 

As Service-now rolls out Washington DC release, the most talked about feature in this release is 'Time-Limited User Roles'.

 

How does it work?

Well, to put together in a single line, it is a feature that provides a user with a particular role for a limited amount of time which you define. To safeguard this feature so that it’s not utilized incorrectly this feature has a built-in option so that the role cannot be provided for more than 2 weeks.

Although, it’s very rare that someone will misuse this feature, it is a two-edged sword for ‘admin’ role. Why is that? Let’s dive in with an example.

 

Let’s say we have @Chuck, who came as a senior developer to conduct a maintenance over the weekend. In order to complete proper maintenance services, Chuck needs to have administrative privileges during the span of weekend, so he’s been granted admin role with time-limited user roles feature. Be mindful that this has to be only for the weekend.

Come weekend, Chuck starts to work on the maintenance where he got to know that he’s been assigned time-limited admin role. Here’s how:

 

UttkarshS_0-1711955800122.png

 

Now, Chuck being a naughty developer with a sharp mind wants to explore what it is and finds out about time-limited roles. He then goes to the module and opens the record which has his name on it and tries to extend the time period to more than just the weekend (let’s say for a month). He gets an invalid update error quoting time-limited role may not be active for more than 2 weeks.

 

UttkarshS_1-1711955800124.png

 

Chuck is intrigued now. He goes on to digging how it’s working and finds out the business rule stopping that update and changes the valid period from 2 weeks to 7 weeks. See comparison below:

 

UttkarshS_2-1711955800129.png

 

 

UttkarshS_3-1711955800137.png

 

 

After that he goes on to time-limited roles record and extends the time period for a month. Voila, the role which was provided for 2 days got extended for a month now.

 

UttkarshS_4-1711955800138.png

 

 

While many organizations having a proper practice in place, the chances of this happening is very thin but still it’s a feature to lookout for. The person having an admin role via time-limited user roles is like a dark knight in the kingdom. And since few of the roles in Service-now incur licensing, this might lead to paying extra if not monitored properly.

 

Please give a thumbs up and mark it helpful if you like this article.

Cheers,

Uttkarsh

  • 1,324 Views
7 REPLIES 7

indusk
Tera Contributor

‎06-04-2024 07:48 AM

make sure you are in the right scope and have admin access. You will be able to edit it. 

indusk_0-1717512350357.png

Please mark my answer correct/helpful if it helps you solve your issue.

0 Helpfuls

Martin Reintgen
Tera Contributor

‎01-16-2025 12:18 AM

Hi,

we are on Washington, but i cannot find this system property in the list. Is there anything i have to do first to make this visible? 

0 Helpfuls

Jim50
Tera Expert
In response to Martin Reintgen

‎03-31-2025 11:56 PM - edited ‎04-01-2025 12:01 AM

Washington Patch 9 removed both of the system properties that allow changing the maximum days and roles.

 

I have tried changing the business rule to allow more than 5 days (I can't create the system property as SN has blocked that) and still can't submit an end date past 5 days. 

SN have very smartly prevent role submission for more than 5 days.

0 Helpfuls