The read-only role (snc_read_only) restricts a user or a group of users to read-only access on the tables to which the user already has access.

This role is designed to complement other roles a user possesses. Its purpose is to restrict actions like the insert, update, or delete operations on the tables accessible through their existing roles.

After you assign this role to a user, they can no longer create, update, or delete records on ANY tables.

Note: Assign this role only to users. Don’t assign this role to other resources in the system, including applications, access control levels (ACLs), and so on.

The snc_read_only role can be assigned to any user to limit access to data without having to create ACLs for system tables, custom tables, and fields. This practice is useful for performing internal or external audits without enabling a user to have insert or update access to data.

Users with the snc_read_only role have the following restrictions regardless of other roles and privileges that they have.
  • Can’t insert, update, or delete records from the UI or when using the GlideRecord API.
  • Can’t activate or upgrade plugins.
  • Can’t directly run SQL.
  • Can’t upload XML files.
  • Can only run background scripts when on an instance in the public sandbox environment.
Note: These role restrictions are in place even if impersonating another user with write access such as an admin.

Activate the read-only role

If it isn’t already active, an administrator can activate the Read-Only User Role (com.snc.read_only.role) plugin.

Before you begin

Role required: admin

Procedure

  1. Navigate to All > System Applications > All Available Applications > All.
  2. Find the Read-Only User Role (com.snc.read_only.role) plugin using the filter criteria and search bar.

    You can search for the plugin by its name or ID. If you cannot find a plugin, you might have to request it from ServiceNow personnel.

  3. Select Install to start the installation process.
    Note: When domain separation and delegated admin are enabled in an instance, the administrative user must be in the global domain. Otherwise, the following error appears: Application installation is unavailable because another operation is running: Plugin Activation for <plugin name>.
    You will see a message after installation is completed. For information about the components installed with a plugin, see Find components installed with an application.

Read-only role properties

These system properties control the snc_read_only role. The following default values are used for the properties.

Table 1.
Name Description
glide.security.snc_read_only_role.tables.exempt_create

Specifies which tables are exempt from the read-only role enforcement and enable the creation of new records.

  • Type: string
  • Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth
  • Location: System Properties [sys_properties] table
glide.security.snc_read_only_role.tables.exempt_write

Specifies which tables are exempt from the read-only role enforcement and enable the updating of existing records.

  • Type: string
  • Default value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth
  • Location: System Properties [sys_properties] table
glide.security.snc_read_only_role.tables.exempt_delete

Specifies which tables are exempt from the read-only role enforcement and enable the deletion of existing records.

  • Type: string
  • Default value: sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth
  • Location: System Properties [sys_properties] table

After you configure these properties, assign the read-only role as needed. When you log in, you’re restricted from creating, updating, or deleting records on ANY tables unless you modified these properties.

Note: Test the read-only role by assigning it to a user and then impersonating that user.