As system administrator, you may find that your instance requires administration within various applications. The key is to delegate these tasks to other users. For example, Tom manages the Service Catalog, and Jane manages Reports; why not give each of them the privileges to take care of administrative tasks within these functions themselves? You pop into the user records for Tom and Jane, assign them both the admin role, and you're good to go, right? Not so fast. In this second installment of our best practices series, we look at why you should limit the number of users with this role.

See Annotate scripts and customizations with comments for the first installment on script comments.

Why should you limit the number of users with the admin role?

Users with the admin role have special privileges that automatically bypass most access control list (ACL) rules. This means that Tom and Jane could unknowingly wreak havoc just about anywhere in your instance.

Sure, it may make sense in development environments to grant the admin role extensively. But in production, a better approach is to grant administrative users one or more special administrative roles that are specific to the functions they perform. For example, the catalog_admin role grants privileges needed to manage the Service Catalog application, the report_admin role allows users to manage reports, and so forth.

How do you figure out which role to grant?

You could navigate to User Administration > Roles and filter the list to display all roles related to the function. In the example below, we've filtered the list to display all catalog related roles. Or, if you can't find a role you need, you can always create your own role.

Admin role best practice

Limit the number of users with the admin role. Instead, assign special administrative roles. Limiting the number of users with the admin role is consistent with the principle of least privilege and helps ensure separation of duties.

--

Behind the scenes here at ServiceNow, the Knowledge Management team works closely with subject matter experts to disseminate critical information to our customers. We've found that certain topics come up frequently, in the form of best practices that can help you keep your ServiceNow instances running smoothly. This series aims to target those topics so that you and your organization can benefit from our collective expertise.

To access all of the blog posts in this series, search for "nowsupport best practices series."