Notifications

64 views

Description

Azure AD sync fails to add users to the group via auto-provisioning if the group has security_admin roles granted. 

Release or Environment

  • Instance on London or Later releases.
  • Configuration for auto user provisioning with Azure Active Directory done. 
  • The group in which the user has to be provisioned has a Security_admin role assigned. 


Cause

There are some design changes in the sys_user_role ACL with the READ operation since the London release. Per the change we have locked the contains role checks in the ACL for READ operations.

Resolution

Remove the security_admin role from the group role for the user to sync/provisioned to the group.

Additional Information

The security_admin role is an elevated privilege role provided with High-Security Settings that lets users create and change access controls and change High-Security Settings.

In the base system, only the default System Administrator (admin) user has the security_admin role. Since it requires elevating privileges, the admin user does not have this role at login. After elevating privileges, the admin user has the security_admin role for the duration of the user session.

Reference: https://docs.servicenow.com/bundle/london-platform-administration/page/administer/security/concept/security-admin-role.html

Article Information

Last Updated:2020-09-16 05:22:38
Published:2020-09-16