Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Application administration

Log in to subscribe to topics and get notified when content changes.

Application administration

Protect sensitive application data by using application administration to restrict how users acquire application-specific roles.

Functions of application administration

Use application administration to:
  • Prevent unauthorized users from accessing sensitive data such as financial records or personally identifiable information.
  • Restrict who can assign application-specific roles such as the administrator and designated developers for the application.
  • Prevent users with the system-level admin role from:
    • Assigning themselves a protected application role.
    • Assigning themselves to a group containing a protected application role.
    • Bypassing existing access controls to a protected application by creating new access controls.
    • Changing the password of users who have a protected application role.
    • Impersonating a user who has a protected application role, unless the developer or administrator also has that role.
    • Inheriting a protected application role.
    • Overriding existing access controls to a protected application.
    • Running scripts that access protected application records.

Roles in application administration

There are two roles in application administration:
  • The application-specific admin role

    Users with this role can assign other users to an application-specific role for that application. For example, you can create a role named my_application.admin that includes the name of the restricted application with the suffix "admin" to indicate that it is the admin role for the application.

  • The application-specific developer role

    Users with this role can access the restricted application. For example, you can create a role named my_application.developer that includes the name of the restricted application with the suffix "developer" to indicate that it is the developer role for the application.

Application-specific admin role

The application-specific admin role enables a user to access a specific application, but does not grant the user any other admin rights. You must assign the system-level admin role to a user before that user can do these tasks:
  • Configure form and list layouts.
  • Make changes to application tables and fields.
  • Assign the application-specific admin role to new users.
If you do not want a user with the application-specific admin role to have the system-level admin role:
  • Do not assign the system-level admin role to the user. Assign only the application-specific admin role.
  • Have the user assign themselves the application-specific developer role.

As an application-specific developer, the user can perform a subset of administrative tasks without having the system-level admin role.

Note: Assign the application-specific admin role to more than one user. Then if a user with the application-specific admin role leaves the company, you are not prevented from making changes to the application.

Enabling application administration and assigning application-specific roles

You can enable application administration for an application from the application record and restrict the assignment of application-specific roles from the user role record.
Note: Enable application administration and assign application-specific roles after completing development of the application, but before adding application records. This practice protects sensitive data in the application records from access by unauthorized users.

The target instance must have at least one authorized user with the application-specific admin role. If you enable application administration for an application but do not assign the application-specific roles, no user can access the application.

The system displays a warning if you enable application administration for an application, but no users have the application-specific admin role required to assign roles for the application. The warning reminds you to assign the application-specific roles for administrators and developers of the application.

For procedures, see Restrict access to an application

Deploying applications with application administration

You must have the system-level admin role in both your developer and production instances to deploy an application protected by application administration. The process is outlined below.
  1. Develop the application on a development instance.
  2. Create the application-specific admin role.
  3. Grant the application-specific admin role to all system-level admin users.
  4. Update the application record to enable application administration and restrict access to the application.
  5. Publish the application to the application repository.
  6. From a production instance, install the application from the application repository.
  7. As a system-level admin on the production instance, grant the application-specific admin role to the appropriate users.
  8. Remove the application-specific admin role from all users with the system-level admin role.

For procedures to enable application administration and restrict the assignment of application-specific roles, see Restrict access to an application

Training

The Developer Portal has training for Securing Applications.

Feedback