Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Read-only role

Log in to subscribe to topics and get notified when content changes.

Read-only role

The read-only role (snc_read_only) restricts a user or a group of users to read-only access on the tables to which the user already has access.

This role is not intended to be the only role a user has. It is intended to be an extra role to restrict insert, update, and delete operations on the tables that the user can access as defined by the other roles.

After you assign this role to a user, they can no longer can create, update, or delete records on ANY tables.

Note: Assign this role only to users. Do not assign this role to other resources in the system, including applications, ACLs, and so on.

The snc_read_only role can be assigned to any user as a simple way to limit access to data without having to create ACLs for system and custom tables and fields. This practice is useful for performing internal or external audits without allowing a user to have insert or update access to data.

Users with the snc_read_only role have the following restrictions regardless of other roles and privileges they have.
  • Cannot insert, update, or delete records from the UI or when using the GlideRecord API.
  • Cannot activate or upgrade plugins.
  • Cannot directly run SQL.
  • Cannot upload XML files.
  • Can only run background scripts when on an instance in the public sandbox environment.
Note: These role restrictions are in place even if impersonating another user with write access such as an admin.

Activate the read-only role

If it is not already active, an administrator can activate the Read-Only User Role (com.snc.read_only.role) plugin .

Before you begin

Role required: admin

Procedure

  1. Navigate to System Definition > Plugins.

    A banner appears to notify you that you are in the All Applications page, which contains plugins and ServiceNow Store applications.

    Note:
    To redirect to the legacy list view for plugins, click the link.
    Legacy list banner
  2. Find the plugin with the filter criteria and search bar.

    You can search for the plugin by its name or ID.

    If you cannot find a plugin, you may have to request it from ServiceNow personnel. To request a plugin, follow the steps in Request a plugin.
  3. Activate the plugin.

    You can activate the plugin directly from the All Applications page or view more details about the plugin before activating it.

    • If you are certain that you have the correct plugin, click Install, and then click Activate in the dialog box that appears.
      Plugin dialog box
    • To view plugin details before activation:
      1. Click the plugin name.
      2. On the form, click the Activate/Update related link.
      3. On the dialog box that appears, review the dependent plugins.

        Dependent plugins must be activated to activate the plugin. If a dependent plugin is not already activated, it is activated when you activate the plugin.

      4. If demo data is available and you want to install it, click Load demo data.

        Some plugins include demo data, which are sample records that illustrate plugin features for common use cases. Load demo data when you first activate the plugin on a development or test instance. You can always load demo data later by clicking Load demo data only on the plugin form.

      5. Click Activate.

Read-only role properties

These system properties control the snc_read_only role. The following default values are used for the properties.

Table 1. Read-only role properties
Name Description
glide.security.snc_read_only_role.tables.exempt_create

Specifies which tables are exempt from the read-only role enforcement and allow the creation of new records.

  • Type: string
  • Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth
  • Location: System Properties [sys_properties] table
glide.security.snc_read_only_role.tables.exempt_write

Specifies which tables are exempt from the read-only role enforcement and allow the updating of existing records.

  • Type: string
  • Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth
  • Location: System Properties [sys_properties] table
glide.security.snc_read_only_role.tables.exempt_delete

Specifies which tables are exempt from the read-only role enforcement and allow the deletion of existing records.

  • Type: string
  • Default value: sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth
  • Location: System Properties [sys_properties] table

After you configure these properties, assign the read-only role as needed. When users log in, they are restricted from creating, updating, or deleting records on ANY tables unless you modified these properties.

Note: Test the read-only role by assigning it to a user and then impersonating that user.
Feedback