Managing Group Memberships: A Comprehensive Guide

By /






Mastering Group Memberships in ServiceNow: A Human-Centric Guide


Mastering Group Memberships in ServiceNow: A Human-Centric Guide

Hey there, fellow ServiceNow enthusiast! Ever felt like managing users, groups, and their permissions is a bit like herding cats? You’re not alone. It’s one of those foundational aspects of any platform that, when done right, makes everything else hum along beautifully. When done… less right? Well, let’s just say it can lead to a world of pain, from security vulnerabilities to endless access requests.

In the vast world of enterprise service management, ServiceNow stands out as a powerful platform. But its true power is unlocked when you master the art of user and group management. This isn’t just about creating accounts; it’s about building a secure, efficient, and scalable access model that supports your entire organization. Think of it as the bedrock upon which all your workflows, applications, and data security rely.

In this deep dive, we’re going to pull back the curtain on managing group memberships in ServiceNow. We’ll cover everything from the basic table structures to advanced scripting techniques, best practices that’ll make your life easier, and even how to handle those tricky situations like user delegation. Whether you’re a seasoned admin, a budding developer, or just someone looking to understand the “why” behind the “how,” you’re in the right place. Let’s get started!

The Foundation: Users, Groups, and the Ties That Bind Them

Before we start scripting and strategizing, let’s get our heads around the core components. Think of your organization: you have people (users) and you have teams/departments (groups). ServiceNow models this beautifully with dedicated tables.

Understanding the Core Tables

  • Users (sys_user): This is the digital representation of every individual who interacts with your ServiceNow instance. From employees to contractors, every login, every record created, every interaction traces back to a user record here. It holds all their essential information: name, email, department, location, and much more. It’s literally the identity hub.
  • Groups (sys_user_group): Groups are your organizational units within ServiceNow. They could represent departments (e.g., “IT Operations”), project teams (e.g., “HR Transformation Project”), or even functional roles (e.g., “Service Desk Tier 1”). Groups are incredibly powerful because they allow you to manage access, notifications, and assignments for multiple users simultaneously, rather than one by one.
  • Group Members (sys_user_grmember): This is the unsung hero, the link between users and groups. It’s a many-to-many relationship table, meaning a single user can belong to multiple groups, and a single group can have multiple members. Every record in this table signifies that a particular user is a member of a specific group. Without it, your users would be isolated, and your groups empty!

Interview Relevance: Know Your Table Names!

A common question in ServiceNow interviews is to name these fundamental tables. Knowing sys_user, sys_user_group, and sys_user_grmember shows you understand the platform’s core data model. It’s a quick way to impress!

The Power of Roles: Assigning Permissions Wisely

Roles are the gatekeepers of your ServiceNow instance. They dictate what a user or a group can see, do, and access. But how you assign these roles makes all the difference.

Best Practice: Roles to Groups, Not Users!

This is arguably the most critical best practice in ServiceNow administration. When asked, “Can we add permissions to users and groups, and which is the best practice?”, the answer is a resounding YES to both, but the best practice is to always add permissions (roles) to groups.

Let’s break down why this is not just a good idea, but essential for a well-managed instance:

  • Simplified Management: Imagine a department of 50 people. If you assign 10 roles to each user individually, that’s 500 role assignments to track. If you assign those 10 roles to a single group, and then add all 50 people to that group, you’ve cut down your management overhead drastically. Any changes to access for that department? Update the group’s roles, and all members instantly inherit them.
  • Consistency and Standardization: Everyone in a specific role or team should, theoretically, have the same level of access. Assigning roles to groups ensures this consistency. There’s no “oops, I forgot to add that one role to John” scenario.
  • Streamlined Onboarding & Offboarding: This is where the magic truly happens. When a new employee joins, you simply add them to the relevant groups (e.g., “HR Team,” “Project X Members”). They automatically inherit all the necessary roles. When an employee leaves, you remove them from their groups, and—voilà!—all associated roles are automatically revoked. This significantly reduces security risks and manual effort during offboarding, making sure no unnecessary access lingers.
  • Improved Auditability: When auditing access, it’s far easier to see which roles a group holds and then review who is a member of that group, rather than sifting through individual user records. This simplifies compliance and security reviews.
  • Reduced “Orphaned” Roles: Without group-based role management, it’s easy for roles to remain assigned to users who no longer need them, creating potential security gaps. Group-based management mitigates this by centralizing control.

How Permissions are Recorded: Just like users and groups, there are specific tables that track role assignments:

  • For roles assigned directly to a user: a record is created in sys_user_has_role.
  • For roles assigned directly to a group: a record is created in sys_group_has_role.
  • Users then inherit roles from the groups they belong to.

Scripting Your Way to Efficiency: Automation is Your Friend

While the UI is fantastic for one-off tasks, a true ServiceNow pro leverages scripting for automation, bulk operations, and integration. GlideRecord is your best friend here, allowing you to interact with the database directly from server-side scripts.

Introducing GlideRecord

GlideRecord is a JavaScript class in ServiceNow used to perform database operations. It allows you to query, insert, update, and delete records on any table in the platform. Think of it as your programmatic window into the ServiceNow database.

Creating a User Account with Script

Need to onboard a new batch of users or integrate with an external HR system? Scripting user creation is your answer.

var userGr = new GlideRecord('sys_user'); // Initialize GlideRecord for the User table
userGr.initialize();                      // Prepare a new record
userGr.username = 'jdoe';                 // Set the username
userGr.first_name = 'John';               // Set the first name
userGr.last_name = 'Doe';                 // Set the last name
userGr.email = 'jdoe@example.com';        // Set the email
// You can set many other fields like userGr.active = true; userGr.locked_out = false;
userGr.insert();                          // Save the new user record to the database
gs.info("New user 'jdoe' created successfully!");

Practical Use Case: Automating user provisioning from an external HR system when an employee starts. A scheduled job could read from an HR data feed and create new user accounts in ServiceNow.

Creating a Group with Script

Setting up new project teams or departmental structures? Scripting group creation saves time.

var newGr = new GlideRecord('sys_user_group'); // Initialize GlideRecord for the Group table
newGr.initialize();                              // Prepare a new record
newGr.name = 'testing_team_alpha';               // Set the group name
// Note: 'manager' field usually stores the sys_id of a user.
// You'd typically query for the manager's sys_id first.
// Example: var managerId = '62826bf03710200044e0bfc8bcbe5df1';
// newGr.manager = managerId;
newGr.email = 'testing_team_alpha@example.com';  // Set the group email
newGr.description = 'Test group for project Alpha.'; // Add a description
newGr.insert();                                  // Save the new group record
gs.info("New group 'testing_team_alpha' created successfully!");

Practical Use Case: Creating groups dynamically for new projects or initiatives based on specific criteria. For example, a workflow could create a “Project [X] Team” group when a new project record is created.

Adding Permissions (Roles) to Users/Groups with Script

Remember our best practice? Assign roles to groups! Let’s see how to do it with scripts.

Adding a Role to a User (Generally Avoided for Best Practice)

While we recommend assigning roles to groups, it’s good to know how to assign them directly to a user. This creates a record in the sys_user_has_role table.

var userRole = new GlideRecord('sys_user_has_role'); // Table for user-role relationships
userRole.initialize();
// Set the user by their sys_id. You'd typically query for this first.
// Example: var userId = '62826bf03710200044e0bfc8bcbe5df1';
// userRole.setValue('user', userId);
// Set the role by its sys_id. You'd typically query for this first.
// Example: var roleId = '2831a114c611228501d4ea6c309d626d'; // Example sys_id for 'itil' role
// userRole.setValue('role', roleId);
userRole.insert();
gs.info("Role assigned to user successfully.");

Adding a Role to a Group (The Recommended Way!)

This is where you’ll typically spend your scripting efforts for role management. This creates a record in the sys_group_has_role table.

var grpRole = new GlideRecord('sys_group_has_role'); // Table for group-role relationships
grpRole.initialize();
// Set the group by its sys_id. You'd typically query for this first.
// Example: var groupId = '477a05d153013010b846ddeeff7b1225'; // Example sys_id for 'testing_team_alpha'
// grpRole.setValue('group', groupId);
// Set the role by its sys_id.
// Example: var roleId = '2831a114c611228501d4ea6c309d626d'; // Example sys_id for 'itil' role
// grpRole.setValue('role', roleId);
grpRole.insert();
gs.info("Role assigned to group successfully.");

Practical Use Case: When a new group is created for a specific function (e.g., “Field Service Technicians”), a business rule could automatically assign the “field_service_agent” role to it. This ensures new groups start with appropriate access.

Adding and Removing Group Members with Script

This is where sys_user_grmember comes into play for dynamic group membership management.

Adding a Group Member

var grMem = new GlideRecord('sys_user_grmember'); // Table for user-group memberships
grMem.initialize();
// Set the user's sys_id
// Example: var userId = '62826bf03710200044e0bfc8bcbe5df1';
// grMem.user = userId;
// Set the group's sys_id
// Example: var groupId = '477a05d153013010b846ddeeff7b1225';
// grMem.group = groupId;
grMem.insert();
gs.info("User added to group successfully!");

Removing a Group Member

var grMem = new GlideRecord('sys_user_grmember'); // Table for user-group memberships
// Query to find the specific membership record
// Example: var userId = '62826bf03710200044e0bfc8bcbe5df1';
// Example: var groupId = '477a05d153013010b846ddeeff7b1225';
// grMem.addQuery('user', userId);
// grMem.addQuery('group', groupId);
grMem.query(); // Execute the query

if (grMem.next()) { // If the record is found
    grMem.deleteRecord(); // Delete the membership record
    gs.info("User removed from group successfully!");
} else {
    gs.info("User is not a member of the specified group.");
}

Practical Use Case: Integrating with an identity management system to automatically update group memberships when an employee changes departments or leaves the company. This ensures access is revoked promptly.

Advanced Concepts and Day-to-Day Operations

Beyond the basics, ServiceNow offers sophisticated features that enhance user management and operational continuity.

User Delegation: The Art of Temporarily Stepping In

User delegation in ServiceNow is exactly what it sounds like: allowing one user to act on behalf of another. This is a lifesaver when an original user is unavailable due to vacation, leave, or other reasons. The delegated user gains the permissions to perform tasks and access resources that would normally be available only to the original user.

Real-world Example: Imagine a manager, Sarah, is going on a two-week vacation. She needs her team lead, Mark, to approve critical change requests and fulfill catalog items in her absence. Sarah can delegate her approval tasks to Mark. This way, important workflows continue smoothly without interruption, preventing bottlenecks and keeping the business moving.

How to set it up (UI Path):

  1. Navigate to the original user’s account (e.g., Sarah’s user profile).
  2. Scroll down and find the related list or link for “Delegates.”
  3. Click “New” or “Add Delegate.”
  4. Provide details such as:
    • Delegate: The name of the person you want to delegate your work to (e.g., Mark).
    • Start Date & End Date: The period for which the delegation is active.
    • Permissions: You can specify what exactly the delegate can do, typically including:
      • Approvals: Can approve requests.
      • Assignments: Can receive assigned tasks.
      • Notifications: Can receive notifications meant for the original user.

Web Services User: The Integration Specialist

A “Web Services User” is a special type of user account in ServiceNow designed exclusively for third-party applications to connect and interact with the platform programmatically. The key differentiator? This user cannot log in via the standard ServiceNow user interface (UI).

Why is this important? It’s a security best practice. When you have an integration (e.g., your HR system syncing user data, or an external monitoring tool creating incidents), you want a dedicated account for that integration. This account will have specific roles tailored to its integration needs, minimizing its access footprint. By preventing UI login, you ensure that the account is used only for its intended purpose: system-to-system communication, not human interaction.

Access Control (ACLs) and the Security Admin Role

Access Control Lists (ACLs) are the core security mechanism in ServiceNow. They define what data users can access and what operations they can perform (create, read, write, delete) on records and fields. Working with ACLs is a powerful capability that requires a special role: security_admin.

The security_admin Role: This elevated role grants extensive permissions to manage security rules, including ACLs. It’s a highly privileged role and should be granted judiciously. Often, administrators temporarily elevate to security_admin to make necessary security changes and then de-escalate.

Default ACLs for New Tables: When you create a new table in ServiceNow, by default, four ACLs are automatically generated for that table. These typically provide basic create, read, write, and delete access. This happens if the “Create access controls” checkbox is checked during table creation. If unchecked, no default ACLs are created, giving you a blank slate for custom security definitions.

Impersonation: Stepping into Another’s Shoes (for Testing!)

Impersonation means temporarily logging in as another user. This is an invaluable tool for administrators and developers. Its primary purpose is testing: to verify if a user has the correct access, to troubleshoot an issue they’re reporting, or to experience the system exactly as they would.

Example: A user reports they can’t see a specific record. Instead of asking for screenshots and going back and forth, you can impersonate them, navigate to the record, and see exactly what they’re seeing (or not seeing). This helps diagnose role or ACL issues quickly.

Caution with Impersonation: Always use impersonation responsibly, especially in production environments. Never make changes while impersonating a user unless it’s part of a controlled troubleshooting process. Always revert to your own user account once testing is complete.

Getting Context: User Information in Scripts

Knowing who the current user is, what groups they belong to, and their unique ID is crucial for building dynamic and secure applications. ServiceNow provides easy ways to get this information on both the client and server side.

Current Logged-in User System ID (Client Side)

When you’re writing a Client Script or UI Policy (scripts that run in the user’s browser), you can get the current user’s system ID (sys_id) using:

g_user.userID;
// Example output: '6816f79cc0a8016401c5a33be04be441'

The g_user object is a global object available on the client side, providing various details about the currently logged-in user.

Current Logged-in User System ID (Server Side)

When you’re writing a Business Rule, Script Include, or Workflow Script (scripts that run on the ServiceNow server), you use the gs (GlideSystem) object:

gs.getUserID();
// Example output: '6816f79cc0a8016401c5a33be04be441'

The gs.getUser() method returns a GlideUser object, which has various methods to retrieve user information.

Checking Group Membership

Need to know if the current user belongs to a specific group? This is a very common requirement for access control, UI visibility, or workflow decisions:

gs.getUser().isMemberOf('group name');
// Returns 'true' if the current user is a member of the specified group,
// otherwise returns 'false'.
// Example: gs.getUser().isMemberOf('ITIL Users'); // true or false

Practical Use Case: You can use gs.getUser().isMemberOf() in a Business Rule to prevent certain actions unless the user is part of an ‘Admin’ group. Or, in a UI Policy, to hide a field if the user is not part of a ‘Managers’ group. This makes your applications dynamic and secure.

Reference Qualifiers: Filtering Fields Smartly

Reference Qualifiers are indispensable tools in ServiceNow for restricting the data displayed in ‘Reference’ and ‘List’ type fields. They improve user experience by showing only relevant options and enhance data integrity by preventing incorrect selections.

Imagine a reference field pointing to the ‘User’ table. Without a qualifier, it would show every single user in your instance! A qualifier can narrow that down to, say, only ‘active’ users or users within a specific department.

Types of Reference Qualifiers

  1. Simple Reference Qualifier

    • Description: This is the most straightforward type. You define a fixed query string, much like you would in a list filter, to restrict the available records. It’s static and doesn’t change based on other field values.
    • Example: You have a reference field for “Assigned To” on an Incident form, and you only want to allow selection of active users.
      active=true

      Or, to show only users from the “IT” department:

      department=IT
    • How to Use: In the dictionary entry of your reference field, simply select “Simple” for the Reference Qualifier type and enter your query condition directly in the “Reference qual” field.

  2. Dynamic Reference Qualifier

    • Description: This type allows the query to adapt based on the context, often influenced by other field values on the current form. Instead of writing the query directly, you select a pre-defined “Dynamic Filter Option.”
    • Example: You want the “Assigned To” field to show only users who belong to the same Assignment Group as selected in another field on the form.

      You would create a “Dynamic Filter Option” (e.g., “Users in Current Assignment Group”) that contains the logic, and then apply this option to your reference field.

    • How to Use:
      1. First, you create or select an existing Dynamic Filter Option (Navigate to System Definition > Dynamic Filter Options). Here, you define the conditions and parameters for your dynamic filter.
      2. Then, in the reference field dictionary entry, select “Dynamic” for the Reference Qualifier type and choose your desired Dynamic Filter Option.

  3. Advanced Reference Qualifier (JavaScript Reference Qualifier)

    • Description: This is the most powerful and flexible type. It utilizes custom JavaScript code to construct a complex query. This allows for dynamic filtering based on multiple conditions, intricate logic, and the current context of the form or user.
    • Example: You want to filter the “Affected User” field on a Change Request to show only active users who are members of the same company as the requesting user AND are not currently locked out.
      javascript: 'active=true^company=' + current.requested_by.company + '^locked_out=false';

      Another example: Filter Incidents to show only those assigned to the current user’s assignment groups with a priority less than 3.

      javascript: 'assignment_groupIN' + gs.getUser().getMyGroups() + '^priority<3';
    • How to Use: In the reference field dictionary entry, select "Advanced" for the Reference Qualifier type and enter your JavaScript code in the "Reference qual" field. The JavaScript code must return a valid encoded query string.

Differences Between Reference Qualifier Types

  • Simple vs. Dynamic: Simple is static; Dynamic adapts based on pre-defined logic without direct code. Dynamic is more reusable for common patterns that might change across multiple forms.
  • Dynamic vs. Advanced: Dynamic relies on a pre-configured option; Advanced gives you full programmatic control with JavaScript. Advanced is for highly specific, complex scenarios that can't be covered by existing dynamic options.
  • Simple vs. Advanced: Simple is for fixed, straightforward conditions; Advanced is for highly flexible, context-aware, and complex filtering. Advanced requires scripting knowledge, whereas Simple does not.

Troubleshooting Reference Qualifiers: If your reference field isn't showing the expected data, check the qualifier. For Advanced qualifiers, copy the JavaScript output into a list filter to see if the resulting query is correct. Use gs.log() statements within your JavaScript to debug the generated query string.

Troubleshooting Common Group Membership Issues

Even with best practices, things can sometimes go awry. Here are a few common issues and how to approach them:

  • Roles Not Applying to Users:
    • Check Group Membership: Is the user actually in the group that holds the role? Check sys_user_grmember.
    • Role Inheritance: Is the role assigned to a parent group? Ensure the user is in the correct child group that inherits from the parent.
    • Cache Issues: Sometimes, changes don't take effect immediately due to caching. Clear your instance cache (cache.do) and have the user log out and back in.
  • Script Errors During User/Group Management:
    • Syntax Errors: Double-check your JavaScript for typos, missing semicolons, or incorrect variable names.
    • Sys_ID Issues: Ensure the sys_IDs you're using (for users, groups, roles) are correct. Copy them directly from the respective records.
    • Table Names: Verify that the table names (e.g., sys_user, sys_user_group, sys_user_grmember, sys_group_has_role) are spelled correctly.
    • Permissions: The user running the script (or the system) needs appropriate permissions to perform GlideRecord operations on the target tables.
  • Delegation Not Working as Expected:
    • Dates: Is the delegation period active? Check the start and end dates.
    • Permissions Checked: Did the original user grant the necessary permissions (approvals, notifications, assignments)?
    • Correct Delegate: Is the correct user designated as the delegate?
  • Reference Qualifiers Showing Wrong/No Data:
    • Simple Qualifiers: Re-test the query string directly in a list filter to ensure it returns the expected results.
    • Dynamic Qualifiers: Verify that the selected Dynamic Filter Option is correctly configured and active.
    • Advanced Qualifiers (JavaScript):
      • Use gs.log() to print the generated query string. Copy this string and test it in a list filter.
      • Check for syntax errors in your JavaScript.
      • Ensure the variables (e.g., current.field_name, gs.getUser().getXXXX()) are correctly fetching values.

Interview Prep: Key Takeaways for Success

If you're gearing up for a ServiceNow interview, mastering group memberships is a hot topic. Be prepared to discuss:

  • Best Practice: Why roles should be assigned to groups, not users. Be ready to explain the benefits (onboarding/offboarding, security, auditability).
  • Core Table Names: sys_user, sys_user_group, sys_user_grmember.
  • Scripting Fundamentals: Demonstrate basic GlideRecord operations for creating/managing users, groups, and memberships. Be able to explain initialize(), insert(), addQuery(), query(), next(), deleteRecord().
  • User Context: How to get the current user's ID on client-side (g_user.userID) and server-side (gs.getUserID()).
  • Group Membership Check: How to verify if a user is part of a group (gs.getUser().isMemberOf('group name')).
  • Delegation: What it is, why it's used, and how it's configured.
  • Reference Qualifiers: The three types (Simple, Dynamic, Advanced) and when to use each. Be ready with an example for each.
  • Security_admin Role: Its importance for managing ACLs.

Conclusion: The Human Touch in Technical Management

Managing group memberships in ServiceNow isn't just a technical task; it's a critical element of organizational efficiency, security, and user experience. By understanding the underlying data model, adhering to best practices like assigning roles to groups, and leveraging the power of scripting for automation, you can build a robust and scalable access management system.

Remember, a well-managed ServiceNow instance feels intuitive and secure to its users. It allows people to do their jobs without unnecessary hurdles, while simultaneously protecting sensitive data and streamlining administrative tasks. So, go forth, script with confidence, and make your ServiceNow instance a bastion of well-managed access!

Happy administrating!


Scroll to Top