User with delegated_developer role is unable to select update sets


Description

Overview

Some delegated developers expect to be able to access update sets, once they are given permission to access Scoped Applications. When a user tries to access update set in scoped application, they do not have access to read/write/create update sets, or they are unable to select a specific update set.

Define roles to use Update Set Picker

1. Log in as 'admin'

2. If you have not done so already, grant the 'delegated_developer' user role read access to the Update Set table [sys_update_set]
a) Navigate to System Security > Access Control (ACL)
b) Filter by Name contains sys_update_set
c) Open ACL for read, write, and create
d) Update section 'Requires role' to include: delegated_developer

3. Navigate to System Properties table > add the system property: glide.ui.update_set_picker.role

4. Set the value of glide.ui.update_set_picker.role to the role for which you want to give access,
example: admin,delegated_developer

Result:
Enable users with 'delegated_developer' role to see the update set picker on the Settings panel.

Example

Steps to reproduce this behavior:
1. Grant a user the role: delegated_developer
- Follow this documentation to provide access permissions to Delegated Developer,
https://docs.servicenow.com/csh?topicname=t_AddADeveloper.html&version=latest#developer-permissions

Now, the user has access of that scoped application. It is a common request to give the user access to update sets as well.

2. Add the 'delegated_developer' role to ACLs for update set Read, Write, and Create access

3. Select an update set

Result:
Delegated developer is unable to select update set.

Note:
Additional security checks are in place to restrict access to users with the 'delegated_developer' role that prevents them from being able to create update sets. This has been introduced due to the fact that 'delegated_developer' role can be granted to users who are non-admins who are not developers. Deployment is often handled by another role/group.

Additional Information

Please find the documentation about deployment specific roles,
https://docs.servicenow.com/csh?topicname=t_AddADeveloper.html&version=latest#d94111e395

This is mentioned in the Security Section of the Release notes,
https://docs.servicenow.com/csh?topicname=platform-security-rn.html&version=latest

Documentation to ensure the update set picker is available,
https://docs.servicenow.com/csh?topicname=t_GrantAccessToTheUpdateSetPicker.html&version=latest

In the event that the update set picker shows "undefined" rather than showing list of active update sets, please refer to KB0744288 - User with delegated_developer role is unable to select update sets,
https://support.servicenow.com/kb_view.do?sys_kb_id=0105c05ddbd03344fff8a345ca961928