The ServiceNow system includes the capability to easily configure a specific user or group to access certain tables, but only in a read only format.  This is done through the special snc_read_only role within the ServiceNow system.

The Purpose of the Read-Only Role

Adding this special snc_read_only role to a user or group on the instance will cause all users to whom this role is applied to immediately have read only access to any tables they could previously modify or otherwise manipulate.

The snc_read_only role provides no additional permissions to the individual or group to whom it is assigned to (read or otherwise).  Thus, this role would normally be used in conjunction with one or more other roles on the instance.  This role would simply prevent the user with that role from Inserting, Modifying or Deleting records in tables that user currently has access to by virtue of other roles or permissions on the instance.


As an example, suppose we have a user who is a member of the standard itil role.  Normally, this user could access and edit a number of different record types in the instance (such as Incident).

Write permissions

However, if the snc_read_only role were added to this user (retaining all the other roles already associated to the user), his view of the same Incident ticket would appear as the following, in which the user could no longer edit the Incident.

Read-Only Access to Records


Adding or Removing the Read-Only Role to an Existing User

If the role is to be added to a user, the following steps can be used.

First, log into the instance with an account having admin or user_admin rights to the instance.

Using the Menu Navigator, browse to the following location on the instance: User Administration -> Users.

A list of Users as currently found on the instance will appear.  Filter the list to locate the User for which the role is to be added or removed.  Click the Information icon to the left of the row corresponding to this user to open that user account record.

Scroll to the Roles related list for this user record.

Click the Edit button which should appear at the top of the Roles related list.

A slush-bucket control will appear.  Locate the role with the name snc_read_only in the list which is found to the left.

Adding the Read-Only role

Once found in this list, double click it such that the role should move to the list to the right.

Click the Save button on the Edit Members dialog box.

That user, on the next login will then have read-only access to any records they can access.


Conversely, the same procedures can be used to remove a user who is currently assigned the snc_read_only role but should have permissions to edit any records they can normally access.  In that case, however, the snc_read_only role would be found in the list to the right and double-clicked to remove it from that list.

Removing the Read-Only role

On the users next login, they would then have the capability to edit any applicable objects that were provided by other Roles added to that user account.

Additional Information

This role can sometimes be the cause of issues.  A user may report that, while previously they had permissions or rights to edit certain record types, suddenly they no longer can, with the button and menu options no longer appearing and the fields appearing in a read-only format.

One of the first things to check is to ensure that the snc_read_only role has not somehow inadvertently been assigned to that user).  If so, and the user should indeed have the rights to edit records, removing the role from the users profile and having the user log out and back in to the instance will correct the issue.

Article Information

Last Updated:2019-08-02 20:44:24