User, Group & Role Management in ServiceNow Administration
User, group, and role management is one of the core pillars of ServiceNow administration. Without proper control over who can access what, even the best-designed workflows can fall apart.
In ServiceNow, access is not randomly assigned—it follows a structured flow where users, groups, and roles work together. Understanding this structure is crucial not just for security but also for system efficiency.
In this chapter, we’ll walk through what users, groups, and roles are, how they work together, and why they matter. You’ll also learn how role-based access helps enforce rules, automate permissions, and maintain a clean and controlled instance.
Let’s begin by understanding each element in detail.
What is a User in ServiceNow?
In ServiceNow, a user refers to anyone who can log in and access the platform, including employees, IT agents, managers, and external stakeholders.
Each user has a user record, stored in the sys_user table, which contains details like:
- User ID (their login name)
- Email address
- Active or inactive status
- Roles assigned
Key Fields in the User Table:
| Field Name | Description |
|---|---|
| User ID | Unique login name (username) |
| Name | Full name of the user |
| Email address used for notifications | |
| Active | True/False – only active users can log in |
| Roles | List of roles assigned directly or via groups |
| Title | Job title (e.g., IT Technician, Manager) |
| Department | Associated department (cmn_department reference) |
| Manager | User’s direct manager (used for approvals and hierarchy) |
| Time Zone | Used to personalize date/time display |
| Locked Out | Indicates if login access is temporarily blocked |
| Photo | Profile image (optional) |
| Last Login | Timestamp of last login |
How Are Users Created?
There are multiple ways to add users to ServiceNow:
- Manually: Go to User Administration → Users → New
- Automatically: Through systems like LDAP, SSO, or other integrations
By default, users have limited access unless roles are assigned to them.
What is a Group in ServiceNow?
A group in ServiceNow is a collection of users who perform similar tasks or belong to the same department or team.
Groups help you manage roles efficiently. Instead of assigning roles to every individual user, you assign roles to a group, and all members inherit those roles.
Stored in the sys_user_group table
Common Use Cases:
- Routing tasks or approvals
- Sending notifications to teams
- Assigning roles to multiple users at once
Example Groups:
- HR_Team – handles employee records
- Incident_Managers – manages IT incidents
- Approvers – handles approvals in workflows
Out-of-the-Box Groups:
| Group Name | Purpose |
|---|---|
| Service Desk | Handles incident and request management |
| Change Advisory Board | Reviews and approves change requests |
| HR Team | Manages employee-related records and onboarding |
| CAB Approval Group | Specific approval group for changes |
| Knowledge Editors | Manages and edits knowledge base articles |
| Administrators | Users with admin-level access and full control |
Groups can also receive assignments (e.g., a task or incident can be assigned to a group instead of one person).
What is a Role in ServiceNow?
A role in ServiceNow is a set of permissions that control what a user can see or do. Think of roles as keys—they unlock access to applications, records, or actions. Roles control visibility, access to modules, record permissions, and system functions.
Roles are stored in the sys_user_role table and can be either:
- Out-of-the-box (default roles like admin, ITIL, approver)
Out-of-the-Box Roles with Description:
| Role Name | Description |
|---|---|
| admin | Full access to all system features and configurations |
| itil | Core ITSM access – incident, problem, change, request handling |
| approver_user | Allows users to approve tasks or records assigned to them |
| catalog_admin | Manage service catalog items and categories |
| knowledge_admin | Create and maintain knowledge base articles and categories |
| report_admin | Create and manage reports and dashboards |
| user_admin | Manage user accounts, groups, and roles |
| rest_api_explorer | Access REST API Explorer for integration testing |
| personalize_choices | Customize choice lists for fields across forms |
| impersonator | Impersonate other users (used for testing/view access as another role) |
- Custom (created by admins based on your organization’s needs)
Roles can be assigned to:
- Individual users
- Entire groups (recommended approach)
Role Hierarchy Example:
- ITIL_admin > includes ITIL
- admin > includes almost all system-wide access
How Do Users, Groups, & Roles Work Together?
Here’s the relationship in simple terms:
A user → joins a group → the group has roles → the user inherits those roles.
This is the recommended way to manage access. It reduces errors and makes role audits easier.
Example:
- User: John Smith
- Group: Service Desk
- Role: ITIL
- → John inherits the ITIL role from his group membership.
Pro Tip: Always assign roles to groups instead of users directly.
Role-Based Access Control (RBAC) in ServiceNow
ServiceNow uses RBAC (Role-Based Access Control) to manage permissions. This means that what a user can access depends entirely on the roles they have.
Roles work together with Access Control Rules (ACLs) to enforce visibility and actions. For example:
- The incident_read ACL checks if a user has the ITIL role before letting them view incident records.
We’ll cover ACLs in more detail in a later module.
Best Practices for Managing Users and Roles
To keep your instance secure and easy to manage, follow these practices:
- Assign roles to groups, not directly to users
- Use clear naming for users, roles, and groups
- Run regular audits to remove unused roles or inactive users
- Use departments or companies to organize larger user sets
- Leverage role delegation and elevated roles carefully
- Use impersonation to test access settings as another user
These tips help you avoid common mistakes and maintain a scalable access model.
Quick Recap
- A user is anyone with login access
- A group is a team of users that simplifies role assignment
- A role defines what users can do or see
- Roles should be assigned to groups for easier management
- RBAC ensures secure, controlled access to the platform
What’s Next?
In the next chapter, we’ll take a closer look at how to create and manage users step-by-step in the platform, with screenshots and field-level guidance.
You’ll also learn how to handle deactivations, profile updates, and user imports.
Let’s keep going!
Next TopicJoin our newsletter: Get daily update on Salesforce career insights & news!
Join Now!
Need more support?
Get a head start with our FREE study notes!
Learn more and get all the answers you need at zero cost. Improve your skills using our detailed notes prepared by industry experts to help you excel.
