Configuring scoped application for virtual agent - restricting permissions to global scope

miriamberge
Tera Guru

My end goal is to have a scoped application where the group that has access to the scoped app will create their own virtual agent topics.  

I created the scoped app with a corresponding role.  I created a new group and assigned the scoped role as well as the virtual_agent_admin role.  In order for the user to be able to work in studio, I have to grant them something under "Manage Developers" - so I've selected publish to app repository, as this makes sense for them to have in a non production environment.

This seems to work fine provided they do not have access to virtual agent designer through the standard interface - if they do, they are able to modify and create topics in the global scope and they can activate/inactivate and publish topics in other scopes.  In terms of approach, are you removing access to the designer from the standard interface and only allowed these delegated developers access through studio?

Thanks!

1 ACCEPTED SOLUTION

Community Alums
Not applicable

Unfortunately, 'Virtual Agent' design is not (yet) a 'delegated role' that can be assigned within one application only. That means you have to assign the virtual_agent_admin role, which grants them access to the global scoped Virtual Agent conversations, as well as any scope they have access to (like your new scope, and some generic OOTB scopes). The long term solution would be for ServiceNow to implement that as a special delegated developer role.

Instead of restricting technically, since these are delegated developers, I would probably emphasize on training & governance. They will not be able to commit their code to other environments, due to lack of admin rights, so you could institute a code review and make sure they only provide update sets in the appropriate scope. If they do break your global-scoped OOTB items, you could force them to take training again, and/or revoke the access. 

As a work-around customization, you could build a special role 'global_virtual_agent_admin' or something like that, and then modify the ACLs / add a business rule that blocks insert/update/delete of an object in the global scope by users that ONLY have 'virtual_agent_admin'. Not ideal, but may do the trick. 

View solution in original post

1 REPLY 1

Community Alums
Not applicable

Unfortunately, 'Virtual Agent' design is not (yet) a 'delegated role' that can be assigned within one application only. That means you have to assign the virtual_agent_admin role, which grants them access to the global scoped Virtual Agent conversations, as well as any scope they have access to (like your new scope, and some generic OOTB scopes). The long term solution would be for ServiceNow to implement that as a special delegated developer role.

Instead of restricting technically, since these are delegated developers, I would probably emphasize on training & governance. They will not be able to commit their code to other environments, due to lack of admin rights, so you could institute a code review and make sure they only provide update sets in the appropriate scope. If they do break your global-scoped OOTB items, you could force them to take training again, and/or revoke the access. 

As a work-around customization, you could build a special role 'global_virtual_agent_admin' or something like that, and then modify the ACLs / add a business rule that blocks insert/update/delete of an object in the global scope by users that ONLY have 'virtual_agent_admin'. Not ideal, but may do the trick.