How to delegate topic editing/creation without giving too much access?

Shawn Gienow · ‎11-04-2022

We are looking to delegate topic editing and management to other (non-admin,) users. However, to do this it seems we need to give them the full VA admin role, which *also* gives them a huge amount of access to other areas of the platform.

Ex: With just this role, they can add fields to the incident table etc, edit flows and actions that have nothing to do with VA, etc.

Does anyone have a better way to delegate this access?

Chris D · ‎11-10-2022

Yes, you should be using scoped applications (and not giving access to Global scope).

If you(r company) has been using ServiceNow for awhile now, this will be a weird change - we're not a great exemplar of it ourselves - but you ideally shouldn't be creating topics (or arguably most things) in the Global scope.

By default ServiceNow gives us an ITSM Virtual Agent Conversations application scope which you can use. And if you want to restrict even further - for example, most ootb topics are in this scope - you can create your own scope and restrict your delegated development to that scope.

If you do this, there shouldn't be much of a concern about delegated developers having virtual_agent_admin or even flow_admin (if that's the name) because they won't be able to modify anything outside their scope.

View solution in original post

Muralidharan BS · ‎11-09-2022

Virtual Agent admin does give access to flow but not to add fields directly in Incident table, there might be other roles which the user might have to perform actions on sys_db_object.

flow_designer is one of the highest privilege role granted as part of virtual agent admin. There is no other specific OOB role to grant access for application, but you can create new role and ACL accordingly.

Chris D · ‎11-10-2022

Yes, you should be using scoped applications (and not giving access to Global scope).

If you(r company) has been using ServiceNow for awhile now, this will be a weird change - we're not a great exemplar of it ourselves - but you ideally shouldn't be creating topics (or arguably most things) in the Global scope.

By default ServiceNow gives us an ITSM Virtual Agent Conversations application scope which you can use. And if you want to restrict even further - for example, most ootb topics are in this scope - you can create your own scope and restrict your delegated development to that scope.

If you do this, there shouldn't be much of a concern about delegated developers having virtual_agent_admin or even flow_admin (if that's the name) because they won't be able to modify anything outside their scope.

Shawn Gienow · ‎11-10-2022

I opened a ticket, and sadly the answer is "Nope, please put in an enhancement request."

I didn't want to complicate it further, since these are help desk users, and not even "citizen developers," so to speak, but I'll look into dev delegation more, to see if I can lock it down that way (so far the answer is no.)