Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Restrict access to an application

Log in to subscribe to topics and get notified when content changes.

Restrict access to an application

Restrict management of an application and access to that application to prevent unauthorized users from assigning administrative rights to the application or accessing sensitive information in the application records.

Before you begin

  • Records required:
    • Role record to designate a role as the application-specific admin role
    • User record to assign an application-specific admin role to a user
    • Application record to enable application administration for a specific application
  • Role required: admin

If an application-specific admin role does not already exist, create it before beginning this procedure. For example, you can create a role named my_application.admin that includes the name of the restricted application with the suffix "admin" to indicate that it is the admin role for the application.

Procedure

  1. Navigate to System Security > Users and Groups > Roles or User Administration > Roles.
  2. Open the role record for the application-specific admin role.
  3. Configure the form to add the Application Administrator field.
    Note: The Application Administrator check box replaces the Assignable by field. By default, when you upgrade from a Jakarta or earlier release to a Kingston or later release, any role that was in the Assignable by field is defined as the application-specific admin role, and the Application Administrator check box is selected.
  4. In the role record, select the Application Administrator check box, and then click Update.
  5. Navigate to System Security > Users and Groups > Users.
  6. Open the user record for the admin user.
  7. On the Roles tab, add the application-specific role.
    Only users with the application-specific admin role can enable application administration for an application.
    Note: Assign the application-specific admin role to more than one user. Then if a user with the application-specific admin role leaves the company, you are not prevented from making changes to the application.
  8. Click Update.
  9. Log out and then log in with the application-specific admin role.
  10. Navigate to System Applications > Applications.
  11. Select the application for which you want to enable application administration.
  12. In the application record, select Application administration.
  13. Click Update.
    The system validates that the following requirements have been met:
    • The application has an application-specific admin role (there is at least one role with Application Administrator selected).
    • The current user has the application-specific admin role.
    If the validation passes, the system updates the application record. Otherwise, the system displays this error message and does not update the application record:
    Application Administration uses the 'Application Administrator' role to define what users are application administrators. None of the roles defined by this application have 'Application Administrator' enabled.
  14. (Optional) From the Related Links, you can optionally select one of the following options:
    Related Link Description
    Manage Developers Modal that enables the application-specific admin to manage these tasks:
    • Designate developers for the application.
    • Make themselves a delegated developer. After the application-specific admin becomes a delegated developer, the application-specific admin can perform a subset of administration tasks without having the system-level admin role.

    Learn more: Delegated development and deployment

    Grant application administration to all admins Modal that creates a Contained Role [sys_user_role_contains] record for the system-level admin role. This adds the application-specific admin role as a contained role of the system-level admin role.
    Note: When you publish the application with this record, users with the application-specific admin role can access the application after installing it.
Feedback