After Upgrading from New York to Orlando, Users with the sam_admin role Cannot Delete Entitlement Import Error records


Description

According to documentation for the New York and Orlando releases, a user with the sam_admin role has the following capabilities:

This role has full access to the Software Asset Management application. This role is required to import entitlements, manage reclamation rules, run reconciliation, create custom products and pattern normalization rules, set up Content Service, and other administrative features.

In the New York release, a user with the sam_admin role has the ability to ignore Entitlement Import Error records through an 'Ignore' UI Action.

With the Orlando release however, the actions have changed to include Delete rather than Ignore.

Furthermore, the Delete UI Action is not available for users with the sam_admin role in an out-of-the-box instance - it is only available for users with the admin role. This may be an unexpected change for active users of ServiceNow, as they may expect that users with the sam_admin role be able to delete Entitlement Import Error records in the Orlando release.

 

Release or Environment

New York, Orlando

Cause

The underlying reason for this change of behavior is that with the Orlando release, the 'Ignore' UI Action for the Entitlement Import Error table does not exist, and has been replaced by the Global 'Delete' UI Action. In out-of-the-box instances, users with the sam_admin role do not have access to this Global 'Delete' UI Action, which explains why the UI Action is not visible for a user with the sam_admin role when looking at an Entitlement Import Error.

Resolution

Because the Global 'Delete' UI Action is not available to users with the sam_admin role, the solution was to create a new table-level delete ACL on the samp_entitlement_import table that requires the sam_admin role. 
After this ACL was created, a user with the sam_admin role was able to delete Entitlement Import Errors.