Read-only role The read-only role (snc_read_only) restricts a user or a group of users to read-only access on the tables to which the user already has access. This role is not intended to be the only role a user has. It is intended to be an extra role to restrict insert, update, and delete operations on the tables that the user can access as defined by the other roles. After you assign this role to a user, they can no longer can create, update, or delete records on ANY tables. Note: Assign this role only to users. Do not assign this role to other resources in the system, including applications, ACLs, and so on. The snc_read_only role can be assigned to any user as a simple way to limit access to data without having to create ACLs for system and custom tables and fields. This practice is useful for performing internal or external audits without allowing a user to have insert or update access to data. Users with the snc_read_only role have the following restrictions regardless of other roles and privileges they have. Cannot insert, update, or delete records from the UI or when using the GlideRecord API. Cannot activate or upgrade plugins. Cannot directly run SQL. Cannot upload XML files. Can only run background scripts when on an instance in the public sandbox environment. Note: These role restrictions are in place even if impersonating another user with write access such as an admin. Activate the read-only role If it is not already active, an administrator can activate the Read-Only User Role (com.snc.read_only.role) plugin . Before you beginRole required: admin About this task For evaluation, you can activate the plugin for an application that requires a purchased subscription on a sub-production instance. To activate the plugin on production instances, you must purchase the subscription. To purchase a subscription, contact your ServiceNow account manager. For details on purchasing a plugin, see Purchase a plugin.Some plugins require activation by ServiceNow personnel. Request these plugins through the HI Customer Service System instead of activating them yourself. For details, see Request a plugin.For plugins that you can activate yourself, continue with the following steps. Procedure Navigate to System Definition > Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. If the plugin has optional features that are not functional because other plugins are inactive, those plugins are listed. A warning states that some files are not installed. If you want the optional features to be installed, cancel this activation, activate the necessary plugins, and then return to activating the plugin. (Optional) If available, select the Load demo data check box. Some plugins include demo data—sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good policy when you first activate the plugin on a development or test instance. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. Read-only role properties These system properties control the snc_read_only role. The following default values are used for the properties. Table 1. Read-only role properties Name Description glide.security.snc_read_only_role.tables.exempt_create Specifies which tables are exempt from the read-only role enforcement and allow the creation of new records. Type: string Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth Location: System Properties [sys_properties] table glide.security.snc_read_only_role.tables.exempt_write Specifies which tables are exempt from the read-only role enforcement and allow the updating of existing records. Type: string Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth Location: System Properties [sys_properties] table glide.security.snc_read_only_role.tables.exempt_delete Specifies which tables are exempt from the read-only role enforcement and allow the deletion of existing records. Type: string Default value: sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth Location: System Properties [sys_properties] table Log on with the read-only role Users logging in to a production instance should log in using the snc_read_only role to prevent unwanted modifications to the instance data. Click To log on with different role(s), click here. Enter read_only, maint. Click Refresh. Click read_only,maint to log in.