Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home Orlando Now Platform Administration Now Platform administration Platform security Elevated privilege roles

    Elevated privilege roles

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Elevated privilege roles

    Elevated privilege roles require you to manually accept the responsibility of using the role before you can access the features of the role.

    By default, you do not have elevated privilege roles upon login. You must manually elevate to the privilege of the role. An elevated privilege role lasts only for the duration of your user session. Session timeout or logout removes the role.

    You can designate any role as an elevated privilege role, and then assign that role to one or more users. Do this when you want to restrict users from having access to the rights that the role provides immediately after login. You can designate the privilege role on the Role form. See Create a role for instructions.

    To use an elevated role, you must meet these conditions:
    • The elevated role must be assigned to you.
    • You must manually elevate to a specific elevated role to get its privileges, even if you are already elevated to a second elevated role that contains the first elevated role.

      For example, if elevated role A contains elevated role B, even if you elevate to role A, you must still elevate to role B to get its privileges.

    The admin role

    To grant the admin role to a user, the granting user must also have the admin role. For example, a user with only the user_admin role cannot grant the admin role to other users.
    • Non-admin users cannot add a user to a group that contains the admin role.
    • To grant the security_admin role to a user, the granting user must also have the admin role and must elevate to the security_admin role before granting the security_admin role to other users. A user with only the admin role cannot grant the security_admin role to other users.
    • A user without the security_admin role cannot add a user to a group that contains the security_admin role.
    Warning: The use of elevated privilege on the admin role is not supported and may cause unexpected behavior. To require administrators to manually elevate, see Force administrators to manually elevate.

    The security_admin role

    In the base system, the security_admin role is the only role that has elevated privileges. This role is automatically assigned to the user who is the default System Administrator (admin) user. It provides access to ACLs and High Security Settings.

    Figure 1. Roles assigned to the System Administrator (admin) user
    The list of roles assigned to the System Administrator (admin) user.
    Note: To see this role, you must actually elevate to the security_admin role first. If you are logged in as the System Administrator (admin) user only, you cannot see the security_admin record in the list of roles.
    Figure 2. The security_admin role record
    The security_admin role record
    • security_admin role

      The security_admin role is an elevated privilege role provided with High Security Settings that lets users create and change access controls and change High Security Settings.

    • Elevate to a privileged role

      The base system admin can elevate to a privileged role to have access to the features of High Security Settings.

    • Force administrators to manually elevate

      A property is available to force all users with the administrator role to manually select the role they want to elevate to.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Elevated privilege roles

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Elevated privilege roles

      Elevated privilege roles require you to manually accept the responsibility of using the role before you can access the features of the role.

      By default, you do not have elevated privilege roles upon login. You must manually elevate to the privilege of the role. An elevated privilege role lasts only for the duration of your user session. Session timeout or logout removes the role.

      You can designate any role as an elevated privilege role, and then assign that role to one or more users. Do this when you want to restrict users from having access to the rights that the role provides immediately after login. You can designate the privilege role on the Role form. See Create a role for instructions.

      To use an elevated role, you must meet these conditions:
      • The elevated role must be assigned to you.
      • You must manually elevate to a specific elevated role to get its privileges, even if you are already elevated to a second elevated role that contains the first elevated role.

        For example, if elevated role A contains elevated role B, even if you elevate to role A, you must still elevate to role B to get its privileges.

      The admin role

      To grant the admin role to a user, the granting user must also have the admin role. For example, a user with only the user_admin role cannot grant the admin role to other users.
      • Non-admin users cannot add a user to a group that contains the admin role.
      • To grant the security_admin role to a user, the granting user must also have the admin role and must elevate to the security_admin role before granting the security_admin role to other users. A user with only the admin role cannot grant the security_admin role to other users.
      • A user without the security_admin role cannot add a user to a group that contains the security_admin role.
      Warning: The use of elevated privilege on the admin role is not supported and may cause unexpected behavior. To require administrators to manually elevate, see Force administrators to manually elevate.

      The security_admin role

      In the base system, the security_admin role is the only role that has elevated privileges. This role is automatically assigned to the user who is the default System Administrator (admin) user. It provides access to ACLs and High Security Settings.

      Figure 1. Roles assigned to the System Administrator (admin) user
      The list of roles assigned to the System Administrator (admin) user.
      Note: To see this role, you must actually elevate to the security_admin role first. If you are logged in as the System Administrator (admin) user only, you cannot see the security_admin record in the list of roles.
      Figure 2. The security_admin role record
      The security_admin role record
      • security_admin role

        The security_admin role is an elevated privilege role provided with High Security Settings that lets users create and change access controls and change High Security Settings.

      • Elevate to a privileged role

        The base system admin can elevate to a privileged role to have access to the features of High Security Settings.

      • Force administrators to manually elevate

        A property is available to force all users with the administrator role to manually select the role they want to elevate to.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login