Application administration
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Application administration
Application administration in ServiceNow Yokohama release enables you to protect sensitive application data by restricting how users acquire application-specific roles. This prevents unauthorized access to sensitive data such as financial records or personally identifiable information by controlling role assignments within scoped applications.
Show less
By using application administration, you can also prevent users—even those with system-level admin roles—from bypassing access controls, impersonating users with protected roles, or overriding security restrictions in the application.
Key Features
- Role Configuration: Any role can be designated as an application-specific administrator role by selecting the Application Administrator checkbox in Role Configuration.
- Standard Role Conventions: Use roles with clear suffixes like
myapplication.adminfor admins andmyapplication.developerfor developers to manage access appropriately within each application. - Application-Specific Admin Role: Allows users to manage role assignments and modify application-specific settings without granting broader system-level admin rights.
- Enabling Application Administration: Enable this feature after application development but before adding records to ensure sensitive data is protected from unauthorized access.
- Minimum Admin Count: The property
[scopedappname].minadmincountcan enforce having multiple users with the application-specific admin role to reduce risks of admin lockout. - Deployment Process: Requires system-level admin role on both development and production instances, with application-specific admin roles assigned on production to control access post-installation.
Key Outcomes
- Enhanced Security: Sensitive application data is protected by restricting role assignments to authorized users only.
- Controlled Role Assignment: Application-specific admin users can assign roles within an application without needing full system admin privileges, improving security and delegation.
- Reduced Risk of Lockout: Assigning multiple application-specific admins ensures continuity in managing application access even if some admins leave.
- Clear Separation of Duties: Developers and admins have distinct roles and permissions, enabling secure and efficient application development and management.
- Streamlined Deployment: Application administration roles and access controls are maintained consistently across development and production environments.
Practical Guidance for ServiceNow Customers
- Enable application administration only after completing application development but before adding data to protect sensitive information.
- Assign application-specific admin roles to multiple trusted users, avoiding sole reliance on system-level admins for application management.
- Use clear naming conventions for roles to simplify administration and auditing.
- Follow the prescribed deployment steps to ensure that application-specific roles and restrictions are properly enforced in production.
- Leverage ServiceNow's training resources on Securing Applications to deepen understanding and ensure best practices.
Protect sensitive application data by using application administration to restrict how users acquire application-specific roles.
Functions of application administration
Use application administration to:
- Help prevent unauthorized users from accessing sensitive data via forms, lists and UI, such as financial records or personally identifiable information.
- Determine who can assign scope-protected roles such as the administrator and designated developers for the application.
- Help prevent users with the system-level admin role from:
- Assigning themselves a protected application role.
- Assigning themselves to a group containing a protected application role.
- Bypassing existing access controls to a protected application by creating access controls.
- Impersonating a user who has a protected application administration role, unless the developer or administrator also has that role.
- Inheriting a protected application role.
- Overriding existing access controls to a protected application.
Roles in application administration
You can make any role an application-specific administrator by selecting the
Application Administrator check box in Role Configuration. To learn
more, see Restrict access to an application. By convention, create
the following roles:
| Role name | Description |
|---|---|
| Application-specific admin | Users with this role can assign other users to an application-specific role for that application. For example, you can create a role named my_application.admin. It should include the name of the restricted application, with a suffix of "admin" to indicate that it is the admin role for the application. |
| Application-specific developer | Users with this role can access the restricted application. For example, you can
create a role named my_application.developer. It should include the name of the restricted
application, with a suffix of "developer" to indicate that it is the developer role for the
application. The developer role needs both application administrator and delegated
development permissions to modify the application files. To learn more, see Delegated development and deployment and Delegate development and deployment permissions to personnel. |
Application-specific admin role
The application-specific admin role enables a user to access a specific application, but does
not grant the user any other admin rights. Assign the system-level admin role to a user before
that user can do these tasks:
- Configure form and list layouts.
- Change application tables and fields.
- Assign the application-specific admin role to new users.
If you do not want a user with the application-specific admin role to have the system-level
admin role:
- Do not assign the system-level admin role to the user. Assign only the application-specific admin role.
- Have the user assign themselves the application-specific developer role.
As an application-specific developer, the user can perform a subset of administrative tasks without having the system-level admin role.
Note:
Assign the application-specific admin role to more than one user. Then if a user with the
application-specific admin role leaves the company, you are not prevented from changing the
application.
Enabling application administration and assigning application-specific roles
You can enable application administration for an application from the application record and
restrict the assignment of application-specific roles from the user role record.
Note:
Enable
application administration and assign application-specific roles after completing development
of the application, but before adding application records. This practice protects sensitive
data in the application records from access by unauthorized users.
The target instance must have at least one authorized user with the application-specific admin
role.
- If you enable application administration for an application but do not assign the application-specific roles, no user can access the application.
- If you assign only one application-specific role, you cannot delete that role.
A warning appears if you enable application administration for an application, but no users have the application-specific admin role required to assign roles for the application. The warning reminds you to assign the application-specific roles for administrators and developers of the application.
Set the [scoped_app_name].min_admin_count property to require that more
than one user must have the application-specific admin role. Assigning the application-specific
admin role to multiple users reduces the risk of getting locked out of the scoped application.
The [scoped_app_name].min_admin_count property has the following
limitations:
- If you specify an invalid value for the property, the default requirement for assigning at least one application-specific admin is enforced.
- If you specify a valid value for the property, you can't delete any application-specific admins unless you exceed the specified value. For example, if you specify a value of two and you have three application-specific admins, you can delete only one of those roles.
- You can specify a value higher than the actual number of assigned application-specific admins. However, you can't delete any application-specific admins until you exceed the specified value. For example, if you specify a value of six, but have only three application-specific admins, you can't delete any of those roles.
For procedures, see Restrict access to an application.
Deploying applications with application administration
You must have the system-level admin role in both your developer and production instances to deploy an application protected by application administration. The process is outlined in the following steps.
- Develop the application on a development instance.
- Create the application-specific admin role.
- Grant the application-specific admin role to all system-level admin users.
- Update the application record to enable application administration and restrict access to the application.
- Publish the application to the application repository.
- From a production instance, install the application from the application repository.
- As a system-level admin on the production instance, grant the application-specific admin role to the appropriate users.
- Remove the application-specific admin role from all users with the system-level admin role.
For procedures to enable application administration and restrict the assignment of application-specific roles, see Restrict access to an application.
Training
The ServiceNow® Developer Site has training for Securing Applications.