Beat the Heat with Cool Discounts

Grab Up to 20% Off on Self-Paced Courses!

Explore Now

ServiceNow Administrator Tutorials

>>

Chapter 2 - User Administration

>>

Role Management and Best Practices

2

Role Management and Best Practices

Roles in ServiceNow are at the heart of access control. They determine what a user can see, edit, create, or delete in the system. Without the right role, users may log in—but they’ll be stuck on the homepage with no access to any modules or data.

This chapter dives into how roles work, how to assign them, how to create custom ones, and what to keep in mind when managing roles across your organization. Whether you’re granting access to IT agents or building roles for a custom app, role management is where control starts.

Understanding Roles in ServiceNow

A role in ServiceNow is a collection of permissions that allow a user to perform specific actions or access certain modules, tables, or features. When a user is given a role, they’re granted rights based on what that role contains.

Roles are stored in the sys_user_role table and can be assigned directly to a user or to a group—giving everyone in that group the same access level.

Roles are essential for

  • Enabling app/module access (e.g., Incident, Change, HR)
  • Controlling CRUD (Create, Read, Update, Delete) actions
  • Managing visibility across lists, forms, and dashboards

Without proper roles, users may not even be able to access core modules like Incident or Request.

Types of Roles in ServiceNow

ServiceNow includes a range of predefined roles that cover standard use cases. These can be grouped as follows:

Role Type Role Names Description
Core Administrative Roles admin Full system access; can override ACLs and perform all administrative functions.
security_admin Elevated role for modifying Access Control Lists (ACLs) and security-related configurations.
user_admin Manages users, groups, roles, and related records.
impersonator Allows a user to impersonate other users (excluding admins) for troubleshooting purposes.
approver_user Can approve or reject records routed to them for approval.
IT Service Management (ITSM) Roles itil Standard role for ITIL processes; allows managing incidents, problems, changes, and tasks.
itil_admin Enhanced ITIL role with additional privileges, including deletion rights for certain records.
incident_manager Manages incident processes and oversees major incident workflows.
change_manager Oversees the change management process, including approvals and scheduling.
problem_manager Manages problem records and root cause analyses.
Knowledge Management Roles knowledge Can create, edit, and review knowledge base articles.
knowledge_admin Manages the knowledge base, including settings and article approvals.
Service Catalog Roles catalog Access to browse and request items from the service catalog.
catalog_admin Manages the service catalog, including items, categories, and workflows.
catalog_editor Can create and modify catalog items within assigned categories.
catalog_manager Oversees catalog categories and assigns editors; can also manage items within their categories.
Reporting and Analytics Roles report_admin Manages reports, including creation, editing, and deletion.
report_scheduler Can schedule reports to be emailed to users or groups.
dashboard_admin Manages dashboards, including creation and certification.
viz_creator Creates data visualizations for inclusion in the visualization library.
viz_admin Manages all data visualizations, including editing and certification.

The ITIL role is one of the most commonly assigned roles. It gives access to key ITIL-based applications like Incident, Problem, and Change Management.

Role Inheritance Explained

Role inheritance in ServiceNow means that when a user is granted a higher-level role, they automatically get the roles nested within it.

For example

  • The ITIL_admin role includes ITIL
  • The admin role includes almost all available roles

This structure prevents the need to assign multiple individual roles and helps simplify permission models.

Inheritance can be

  • Manual: You define which roles are included within others
  • System-defined: Some roles come with inherited roles by default

You can view inherited roles within a role record under the “Contains” and “Inherited By” sections.

How to Create Roles in ServiceNow?

While most standard roles are provided out of the box, there are times you’ll need to create custom roles to control access to custom apps, restricted areas, or internal workflows.

Steps to create a custom role

  1. Navigate to User Administration → Roles
  2. Click New
  3. Enter:
    • Name (e.g., custom_app_editor)
    • Description (clarify what this role does)
  4. (Optional) Add contained roles to define inheritance
  5. Submit the record

After creating it, you can use this role in Access Control Rules (ACLs), assign it to users or groups, or reference it in scripts or UI policies.

How to Assign Roles to a User?

There are times you may need to assign a role directly to a user—though the preferred method is through groups.

To assign a role to a user

  1. Navigate to User Administration → Users
  2. Open the user record
  3. Scroll to the Roles related list
  4. Click Edit
  5. Select the roles to add and click Save

While this gives immediate access, it becomes harder to track over time, which is why assigning via groups is preferred.

How to Assign Roles in a Group?

Assigning roles to a group ensures all users in that group receive the same permissions automatically. This is more scalable, especially in environments with large user bases or frequent team changes.

To assign roles in a group

  1. Navigate to User Administration → Groups
  2. Open the group record
  3. Scroll to the Roles related list
  4. Click Edit
  5. Select roles and click Save

Now, any user added to the group will inherit those roles instantly.

This approach makes audits easier and keeps permissions aligned with team functions.

Managing Custom Roles

When creating or modifying custom roles, keep in mind:

  • The role name should reflect its purpose
  • Use naming standards (e.g., hr_case_editor, finance_approver)
  • Document roles with a clear description
  • Avoid duplicating functionality already covered by existing roles

You can modify existing roles if needed, but it’s better to clone and tailor them unless you’re confident it won’t affect other users.

You can also define role dependencies, such as requiring one role before granting another.

Best Practices for Role Management

To maintain clean and effective role usage across your ServiceNow instance, follow these tips:

  • Assign roles via groups whenever possible
  • Use clear naming conventions for custom roles
  • Avoid assigning admin or security_admin roles casually
  • Document the purpose of each custom role
  • Review roles periodically to remove unused or outdated ones
  • Leverage role inheritance to simplify access models
  • Limit direct user-role assignments unless necessary
  • Never give roles that grant wide permissions without understanding the impact

A well-structured role system reduces support issues, enforces security, and improves user experience across the board.

What’s Next?

In the next chapter, we’ll look at two powerful features that help with temporary access and testing: Impersonation and Delegation.

You’ll learn how to impersonate users to troubleshoot access issues, and how to delegate roles during absences or special cases—without compromising security or control.

Let’s move forward!

Next Topic

Join our newsletter: Get daily update on Salesforce career insights & news!

Join Now!

Need more support?

Get a head start with our FREE study notes!

Learn more and get all the answers you need at zero cost. Improve your skills using our detailed notes prepared by industry experts to help you excel.

Explore

Sign Up for Free Demo

Book Free15-Minutes Career Counselling

Schedule Now
Call Us On
×
Popup Image