Lock down security administration (optional)

To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry.

Before you begin

When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users.

A security role is required to have access to Security Incident Response features and records.

Role required: sn_si.admin


  1. Log out the current user.
  2. Log in as the System Administrator.
    You have access to Security Incident Response navigation menus.
  3. After system configuration has been completed, and security roles have been assigned to users, a user with the sn_si.admin role can revoke System Administrator access to Security Incident Response.
    Note: IT System Administrators [admin] can impersonate ServiceNow users. However, when impersonating a user with an application admin role for Security Incident Response, an admin is not able to access features granted by that role, including security incidents and profile information. Access to modules and applications in the navigation bar is also restricted. Also, admin cannot change the password of any user with an application admin role for Security Incident Response.