Read-only role

The read-only role (snc_read_only) restricts a user or a group of users to read-only access on the tables to which the user already has access.

This role is not intended to be the only role a user has. It is intended to be an extra role to restrict insert, update, and delete operations on the tables that the user can access as defined by the other roles.

After you assign this role to a user, they can no longer can create, update, or delete records on ANY tables.

Note: Assign this role only to users. Do not assign this role to other resources in the system, including applications, ACLs, and so on.

The snc_read_only role can be assigned to any user as a simple way to limit access to data without having to create ACLs for system and custom tables and fields. This practice is useful for performing internal or external audits without allowing a user to have insert or update access to data.

Users with the snc_read_only role have the following restrictions regardless of other roles and privileges they have.
  • Cannot insert, update, or delete records from the UI or when using the GlideRecord API.
  • Cannot activate or upgrade plugins.
  • Cannot directly run SQL.
  • Cannot upload XML files.
  • Can only run background scripts when on an instance in the public sandbox environment.
Note: These role restrictions are in place even if impersonating another user with write access such as an admin.

Activate the read-only role

If it is not already active, an administrator can activate the Read-Only User Role (com.snc.read_only.role) plugin .

Before you begin

Role required: admin

About this task

For evaluation, you can activate the plugin for an application that requires a purchased subscription on a sub-production instance. To activate the plugin on production instances, you must purchase the subscription. To purchase a subscription, contact your ServiceNow account manager. For details on purchasing a plugin, see Purchase a plugin.

Some plugins require activation by ServiceNow personnel. Request these plugins through the HI Customer Service System instead of activating them yourself. For details, see Request a plugin.

For plugins that you can activate yourself, continue with the following steps.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Read-only role properties

These system properties control the snc_read_only role. Add these properties to the sys_properties table.

Table 1. Read-only role properties
Name Description
glide.security.snc_read_only_role.tables.exempt_create Specifies which tables are exempt from the read-only role enforcement and allow the creation of new records.
  • Type: string
  • Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache
  • Location: System Properties [sys_properties] table
glide.security.snc_read_only_role.tables.exempt_write Specifies which tables are exempt from the read-only role enforcement and allow the updating of existing records.
  • Type: string
  • Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache
  • Location: System Properties [sys_properties] table
glide.security.snc_read_only_role.tables.exempt_delete Specifies which tables are exempt from the read-only role enforcement and allow the deletion of existing records.
  • Type: string
  • Default value: sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache
  • Location: System Properties [sys_properties] table

Log on with the read-only role

Users logging in to a production instance should log in using the snc_read_only role to prevent unwanted modifications to the instance data.

  1. Click To log on with different role(s), click here.
  2. Enter read_only, maint.
  3. Click Refresh.
  4. Click read_only,maint to log in.