Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform App Engine
Table of Contents
Choose your release version
    Home New York Now Platform App Engine Now Platform App Engine Applications Contextual development environment Application administration

    Application administration

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Application administration

    Protect sensitive application data by using application administration to restrict how users acquire application-specific roles.

    Functions of application administration

    Use application administration to:
    • Prevent unauthorized users from accessing sensitive data such as financial records or personally identifiable information.
    • Restrict who can assign application-specific roles such as the administrator and designated developers for the application.
    • Prevent users with the system-level admin role from:
      • Assigning themselves a protected application role.
      • Assigning themselves to a group containing a protected application role.
      • Bypassing existing access controls to a protected application by creating access controls.
      • Changing the password of users who have a protected application role.
      • Impersonating a user who has a protected application role, unless the developer or administrator also has that role.
      • Inheriting a protected application role.
      • Overriding existing access controls to a protected application.
      • Running scripts that access protected application records.

    Roles in application administration

    You can make any role an application-specific administrator by selecting the Application Administrator check box in Role Configuration. To learn more, see Restrict access to an application. By convention, create the following roles:
    Table 1. Application administration roles
    Role name Description
    Application-specific admin Users with this role can assign other users to an application-specific role for that application. For example, you can create a role named my_application.admin. It should include the name of the restricted application, with a suffix of "admin" to indicate that it is the admin role for the application.
    Application-specific developer Users with this role can access the restricted application. For example, you can create a role named my_application.developer. It should include the name of the restricted application, with a suffix of "developer" to indicate that it is the developer role for the application. The developer role needs both application administrator and delegated development permissions to modify the application files.

    To learn more, see Delegated development and deployment and Delegate development and deployment permissions to personnel.

    Application-specific admin role

    The application-specific admin role enables a user to access a specific application, but does not grant the user any other admin rights. Assign the system-level admin role to a user before that user can do these tasks:
    • Configure form and list layouts.
    • Change application tables and fields.
    • Assign the application-specific admin role to new users.
    If you do not want a user with the application-specific admin role to have the system-level admin role:
    • Do not assign the system-level admin role to the user. Assign only the application-specific admin role.
    • Have the user assign themselves the application-specific developer role.

    As an application-specific developer, the user can perform a subset of administrative tasks without having the system-level admin role.

    Note: Assign the application-specific admin role to more than one user. Then if a user with the application-specific admin role leaves the company, you are not prevented from changing the application.

    Enabling application administration and assigning application-specific roles

    You can enable application administration for an application from the application record and restrict the assignment of application-specific roles from the user role record.
    Note: Enable application administration and assign application-specific roles after completing development of the application, but before adding application records. This practice protects sensitive data in the application records from access by unauthorized users.
    The target instance must have at least one authorized user with the application-specific admin role.
    • If you enable application administration for an application but do not assign the application-specific roles, no user can access the application.
    • If you assign only one application-specific role, you cannot delete that role.

    A warning appears if you enable application administration for an application, but no users have the application-specific admin role required to assign roles for the application. The warning reminds you to assign the application-specific roles for administrators and developers of the application.

    Set the [scoped_app_name].min_admin_account property to require that more than one user must have the application-specific admin role. Assigning the application-specific admin role to multiple users reduces the risk of getting locked out of the scoped application. The [scoped_app_name].min_admin_account property has the following limitations:
    • If you specify an invalid value for the property, the default requirement for assigning at least one application-specific admin is enforced.
    • If you specify a valid value for the property, you can't delete any application-specific admins unless you exceed the specified value. For example, if you specify a value of two and you have three application-specific admins, you can delete only one of those roles.
    • You can specify a value higher than the actual number of assigned application-specific admins. However, you can't delete any application-specific admins until you exceed the specified value. For example, if you specify a value of six, but have only three application-specific admins, you can't delete any of those roles.

    For procedures, see Restrict access to an application.

    Deploying applications with application administration

    You must have the system-level admin role in both your developer and production instances to deploy an application protected by application administration. The process is outlined in the following steps.

    1. Develop the application on a development instance.
    2. Create the application-specific admin role.
    3. Grant the application-specific admin role to all system-level admin users.
    4. Update the application record to enable application administration and restrict access to the application.
    5. Publish the application to the application repository.
    6. From a production instance, install the application from the application repository.
    7. As a system-level admin on the production instance, grant the application-specific admin role to the appropriate users.
    8. Remove the application-specific admin role from all users with the system-level admin role.

    For procedures to enable application administration and restrict the assignment of application-specific roles, see Restrict access to an application.

    Training

    The ServiceNow® Developer Site has training for Securing Applications.

    • Restrict access to an application

      Restrict management of an application and access to that application to prevent unauthorized users from assigning administrative rights to the application or accessing sensitive information in the application records.

    • Access control rules in application administration apps

      By default, when application administration is enabled for a scoped application, ACL rules for the scoped application are applied. If no ACL rules for the scoped application are found, global ACL rules can apply.

    Related concepts
    • Delegated development and deployment

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Application administration

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Application administration

      Protect sensitive application data by using application administration to restrict how users acquire application-specific roles.

      Functions of application administration

      Use application administration to:
      • Prevent unauthorized users from accessing sensitive data such as financial records or personally identifiable information.
      • Restrict who can assign application-specific roles such as the administrator and designated developers for the application.
      • Prevent users with the system-level admin role from:
        • Assigning themselves a protected application role.
        • Assigning themselves to a group containing a protected application role.
        • Bypassing existing access controls to a protected application by creating access controls.
        • Changing the password of users who have a protected application role.
        • Impersonating a user who has a protected application role, unless the developer or administrator also has that role.
        • Inheriting a protected application role.
        • Overriding existing access controls to a protected application.
        • Running scripts that access protected application records.

      Roles in application administration

      You can make any role an application-specific administrator by selecting the Application Administrator check box in Role Configuration. To learn more, see Restrict access to an application. By convention, create the following roles:
      Table 1. Application administration roles
      Role name Description
      Application-specific admin Users with this role can assign other users to an application-specific role for that application. For example, you can create a role named my_application.admin. It should include the name of the restricted application, with a suffix of "admin" to indicate that it is the admin role for the application.
      Application-specific developer Users with this role can access the restricted application. For example, you can create a role named my_application.developer. It should include the name of the restricted application, with a suffix of "developer" to indicate that it is the developer role for the application. The developer role needs both application administrator and delegated development permissions to modify the application files.

      To learn more, see Delegated development and deployment and Delegate development and deployment permissions to personnel.

      Application-specific admin role

      The application-specific admin role enables a user to access a specific application, but does not grant the user any other admin rights. Assign the system-level admin role to a user before that user can do these tasks:
      • Configure form and list layouts.
      • Change application tables and fields.
      • Assign the application-specific admin role to new users.
      If you do not want a user with the application-specific admin role to have the system-level admin role:
      • Do not assign the system-level admin role to the user. Assign only the application-specific admin role.
      • Have the user assign themselves the application-specific developer role.

      As an application-specific developer, the user can perform a subset of administrative tasks without having the system-level admin role.

      Note: Assign the application-specific admin role to more than one user. Then if a user with the application-specific admin role leaves the company, you are not prevented from changing the application.

      Enabling application administration and assigning application-specific roles

      You can enable application administration for an application from the application record and restrict the assignment of application-specific roles from the user role record.
      Note: Enable application administration and assign application-specific roles after completing development of the application, but before adding application records. This practice protects sensitive data in the application records from access by unauthorized users.
      The target instance must have at least one authorized user with the application-specific admin role.
      • If you enable application administration for an application but do not assign the application-specific roles, no user can access the application.
      • If you assign only one application-specific role, you cannot delete that role.

      A warning appears if you enable application administration for an application, but no users have the application-specific admin role required to assign roles for the application. The warning reminds you to assign the application-specific roles for administrators and developers of the application.

      Set the [scoped_app_name].min_admin_account property to require that more than one user must have the application-specific admin role. Assigning the application-specific admin role to multiple users reduces the risk of getting locked out of the scoped application. The [scoped_app_name].min_admin_account property has the following limitations:
      • If you specify an invalid value for the property, the default requirement for assigning at least one application-specific admin is enforced.
      • If you specify a valid value for the property, you can't delete any application-specific admins unless you exceed the specified value. For example, if you specify a value of two and you have three application-specific admins, you can delete only one of those roles.
      • You can specify a value higher than the actual number of assigned application-specific admins. However, you can't delete any application-specific admins until you exceed the specified value. For example, if you specify a value of six, but have only three application-specific admins, you can't delete any of those roles.

      For procedures, see Restrict access to an application.

      Deploying applications with application administration

      You must have the system-level admin role in both your developer and production instances to deploy an application protected by application administration. The process is outlined in the following steps.

      1. Develop the application on a development instance.
      2. Create the application-specific admin role.
      3. Grant the application-specific admin role to all system-level admin users.
      4. Update the application record to enable application administration and restrict access to the application.
      5. Publish the application to the application repository.
      6. From a production instance, install the application from the application repository.
      7. As a system-level admin on the production instance, grant the application-specific admin role to the appropriate users.
      8. Remove the application-specific admin role from all users with the system-level admin role.

      For procedures to enable application administration and restrict the assignment of application-specific roles, see Restrict access to an application.

      Training

      The ServiceNow® Developer Site has training for Securing Applications.

      • Restrict access to an application

        Restrict management of an application and access to that application to prevent unauthorized users from assigning administrative rights to the application or accessing sensitive information in the application records.

      • Access control rules in application administration apps

        By default, when application administration is enabled for a scoped application, ACL rules for the scoped application are applied. If no ACL rules for the scoped application are found, global ACL rules can apply.

      Related concepts
      • Delegated development and deployment

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login