Why is this an issue?
Before Quebec ServiceNow versions, when the plugin "Content Delivery" com.sn_content_delivery was activated, the role "Content Delivery Admin"
sn_cd.content_admin was automatically added to the instance. This role grants the user access to all Content Delivery information and privileges, as well as the ability to read, create, and add/edit content types.
When the plugin is activated the role is added to the admin role as a contained role. This is an issue since the admin may not be permitted to read and write sensitive HR data included within the content delivery tables.
Best practices
Right after activating "Content Delivery" com.sn_content_delivery plugin, select two or more users to be the Content Delivery Admins; those users should be employees of HR, as they would have access to sensitive HR data. After you've chosen the users, give them the role "Content Delivery Admin" sn_cd.content_admin and double-check that they're activated.
You should always select two or more users because if one of them is deactivated, the other will remain with access.
With admin access follow these procedures to remove HR-related roles from the admin role:
In the Filter Navigator, search for User Administration > Roles
Search for admin and security-admin
From the Contains Roles tab, click Edit
From the Contains Roles List column, highlight and move sn_cd.content_admin to the Collection column and Save
Log out and log back in to ensure that the changes take effect.