Grant non admin developers limited application and update set access

It used to be problematic to give limited access to citizen developers (or other BA’s) from other teams. There wasn’t an easy way to limit access to change specific scripts or specific workflows, because everything used to be in a global scope or under a custom scoped application. Users would get access to everything or none, unless you wanted to spend a lot of time building heavy custom ACL’s.

This issue was solved by ServiceNow with Delegated Development. Now it is a good practice build everything under scoped applications, for example new features come out in their own application scope (Agent workspace, GRC, Change management, Spoke applications).

1) Go to sys_store_app.list where you can see all available applications. Select the application.

2) Under related links click on “Manage developers”.

3) Choose a user and select limited access to only what they need from this application by application file type: script, workflow, service portal, update set access etc.

4) Now user will have access to application and update set pickers after they enable it from their developer settings. Also, whenever he will open any application file type, the filter with his allowed applications will be automatically set. Other files will be hidden under ACL restrictions.

Note: to enable configuration of update set rights you have to set up com.snc.dd.manage_update_set_enabled system property to true first. Users will have access to update set module and they will be able to choose update sets from there. To enable update set picker access set up glide.ui.update_set_picker.role property with the application role name.

Not limited to development activities, this could be used to grant access to users to modify their own catalog items without having access to full catalog.

Also, there is a simple way to change the scope programmatically:

method: 'PUT',
url: '/api/now/ui/concoursepicker/application',
headers: {
  'Content-Type': 'application/json',
  'Cookie' : document.cookie
data: { app_id: sys_id_of_application }

2 thoughts on “Grant non admin developers limited application and update set access”

  1. How do we do this for non-store apps, such as Datadog? Looks like a perfect solution for our dev needs, but limited to store apps…


    1. You should be able to find any app in sys_app.list table. There should be a related link for ‘Manage developers’ which is what is mentioned in the article. Also from studio – “Manage developers” dropdown.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s