Time limited user roles (Starting Washington Release ) - Support and Troubleshooting

Time limited user roles (Starting Washington Release ) Summary This functionality is to assign a role to a user temporarily. Use this feature if a user needs to perform a one-time action that is typically outside their assigned roles. Note: Only the roles "admin," "impersonate," and "snc_readonly" are allowed to be assigned to the user:

Procedure:

Navigate to All > User Administration > Time-Limited User Roles. Select New. Fill in the fields on the form. All fields except Comments are mandatory.

Unlike Servicenow suggested method of adding roles to groups, this method only allows adding roles to individual user.

The end date must be within 5 days of the start date:

Notification: As soon as the role is assigned through time limited user role. The user could see notification as below:

In the platform, roles are session-based. However, if roles are granted through the time-based roles feature, they may not persist for the entire session if the session extends beyond the end time specified in the time-based role record.

The roles are revoked as soon as mentioned end time on the time-based role record is reached. A message is shown on the UI as below:

Key Points: > If the user's "admin" role is part of the time-based role functionality, users with a time-based admin role have all the regular privileges of a permanent admin. One such privilege is the ability to edit their time-based role records. This is true when logging in as the user but impersonation only gives read access to these records. Note that the admin user can extend the time limited user record for only 5 more days again by modifying the start and end dates on the record.

> The time limited user records have Active=true that remains true even after mentioned end time has passed. However, the roles will be revoked from the user.

> Time limited roles assigned to user and history can be viewed in user record under 'time-limited user role 'related list. This related list is not available by default but can be configured using configure -> related lists on the user form. Similarly 'time-limited user role 'related list can be added on role record.

Configuration: This following configuration records are responsible for controlling this functionality: [System Property] glide.security.timelimited.roles.allowed_roles:

( https://instancename.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=ede080835301021057fcddeeff7b128a)

[Script Include] TimeLimitedRoleConfigHelper:

( https://instancename.service-now.com/nav_to.do?uri=sys_script_include.do?sys_id=baa30ccb5301021057fcddeeff7b12de)

[Business Rule] time-limited roles duration limit:

(https://instancename.service-now.com/nav_to.do?uri=sys_script.do?sys_id=0f0ce1574f51311092d53c11b1ce0b50)

[System Property] glide.security.timelimited.roles.allowed_max_days :

(https://instancename.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=f191c4075301021057fcddeeff7b127d)

Note: Though the script include and business rule are customizable by admin user, doing so is not advisable. Both the system properties above has "Write roles" field set to "Maint" only

Security Access: security access to "sys_user_has_time_limitied_role" table

Create Access:

Admin Also include time-limited admin role

Read Access:

1. ITIL

2. user_admin

3. role_delegator

Delete Access:

Same as Create access

Report Access:

Admin