Elevated privilege roles

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Elevated privilege roles

    Elevated privilege roles in ServiceNow require users to manually accept responsibility before accessing the features associated with those roles. Users do not receive elevated roles automatically upon login; they must actively elevate to these roles during their session. Elevated privilege roles last only for the duration of the user session and are removed upon logout or session timeout. This mechanism enhances security by restricting immediate access to sensitive privileges.

    Show full answer Show less

    Key Features

    • Manual Elevation: Users must explicitly choose to elevate to an assigned elevated role to gain its privileges.
    • Role Assignment: Any role can be designated as an elevated privilege role and assigned to users to control access more granularly.
    • Session-Based: Elevated roles expire with the user session, ensuring temporary access to sensitive functions.
    • Role Hierarchies: Even if elevated to a role that contains another elevated role, users must separately elevate to each role to gain its privileges.
    • Admin Role Restrictions: Granting the admin role requires the granter to have admin privileges; similarly, only users with the admin role can add users to groups containing admin roles.
    • securityadmin Role: This role is the only elevated privilege role in the base system, automatically assigned to the default System Administrator (admin) user. It controls access to Access Control Lists (ACLs) and High Security Settings and must be manually elevated to be visible and active.
    • Force Manual Elevation: A system property can enforce that all administrator users must manually select and elevate to the desired privileged role, enhancing security controls.

    Practical Implications for ServiceNow Customers

    By implementing elevated privilege roles, ServiceNow customers can enhance their security posture by ensuring that sensitive roles and permissions are only active upon explicit user action. This reduces the risk of unauthorized access or accidental misuse of privileged functions.

    Administrators should carefully assign elevated roles and configure manual elevation to align with organizational security policies. The separation of roles, especially around the admin and securityadmin roles, ensures that only appropriately authorized users can grant or assume sensitive privileges.

    The ability to force administrators to manually elevate roles provides an additional safeguard against privilege misuse, helping organizations maintain tighter control over administrative access.

    Elevated privilege roles require you to manually accept the responsibility of using the role before you can access the features of the role.

    By default, you do not have elevated privilege roles upon login. You must manually elevate to the privilege of the role. An elevated privilege role lasts only for the duration of your user session. Session timeout or logout removes the role.

    You can designate any role as an elevated privilege role, and then assign that role to one or more users. Do this when you want to restrict users from having access to the rights that the role provides immediately after login. You can designate the privilege role on the Role form. See Create a role for instructions.

    To use an elevated role, you must meet these conditions:
    • The elevated role must be assigned to you.
    • You must manually elevate to a specific elevated role to get its privileges, even if you are already elevated to a second elevated role that contains the first elevated role.

      For example, if elevated role A contains elevated role B, even if you elevate to role A, you must still elevate to role B to get its privileges.

    The admin role

    To grant the admin role to a user, the granting user must also have the admin role. For example, a user with only the user_admin role cannot grant the admin role to other users.
    • Non-admin users cannot add a user to a group that contains the admin role.
    • To grant the security_admin role to a user, the granting user must also have the admin role and must elevate to the security_admin role before granting the security_admin role to other users. A user with only the admin role cannot grant the security_admin role to other users.
    • A user without the security_admin role cannot add a user to a group that contains the security_admin role.
    Warning:
    The use of elevated privilege on an admin role is not supported. Instead, require admins to manually elevate, see Force administrators to manually elevate

    The security_admin role

    In the base system, the security_admin role is the only role that has elevated privileges. This role is automatically assigned to the user who is the default System Administrator (admin) user. It provides access to ACLs and High Security Settings.

    Figure 1. Roles assigned to the System Administrator (admin) user
    The list of roles assigned to the System Administrator user
    Note:
    To see this role, you must actually elevate to the security_admin role first. If you are logged in as the System Administrator (admin) user only, you cannot see the security_admin record in the list of roles.