The system user cannot add the "Admin" role if it contains the scoped "sn_templated_snip.template_snippet_admin" role.


Description

The system user cannot add the "Admin" role if it contains the scoped "sn_templated_snip.template_snippet_admin" role.

Cause

There is a change in Newyork that the system checks if the user that is assigning a role is privileged role or contains privileged role. If it has a privileged role, then the user cannot add the role unless he has that privileged role. "sn_templated_snip.template_snippet_admin" is a privileged role with is added to admin.

Resolution

The role "sn_templated_snip.template_snippet_admin" is added to admin as a fix to PRB1281549.
The purpose of the change was to fix an issue where, if you installed the templated snippets plugin without installing any related HR applications, you could not use the application.

With the fix for PRB1281549, when templated snippets is installed, the admin role will inherit the sn_templated_snip.template_snippet_admin role. System admins will be able to re-assign the sn_templated_snip.template_snippet_admin role to other users, and, if desired, remove the sys_user_role_contains record so that admin will not inherit sn_templated_snip.template_snippet_admin by default any more.

As the workflow script is intended to assign admin role, we would recommend simply removing the "sys_user_role_contains" record. Then, when the workflow runs, it will not attempt to assign the templated snippet admin role. Scoped admin roles should be deliberately assigned, not assigned via a workflow.

To remove the sys_user_role_contains record, first make sure that all users who need templated snippets admin *have* the role. Then you can navigate to

https://YOUR_INSTANCE/sys_store_app_list.do

And search for the "Template snippets" application. Open the "Templated snippets" application, and if you have the templated snippets admin role, you should see a related link saying "Remove from the role contained by admin". If you click that link, it will remove the sys_user_role_contains record so that admin will no longer inherit sn_templated_snip.template_snippet_admin; a templated snippet admin will have to deliberately assign the role.