Administrator lockdown

To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users. After system configuration has been completed, and security roles have been assigned to users, a user with the sn_si.admin role can revoke the System Adminitrator's access to Security Incident Response.

A security role is required to have access to Security Incident Response features and records.

Note: IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Security Incident Response, an admin is not able to access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Security Incident Response.