🔐 ServiceNow — Identity & Access Management

ServiceNow Admin & Developer Guide · Digital Kimya

Understanding how ServiceNow manages identity and access is foundational to any ITSM implementation. A misconfigured access model causes two types of pain: over-access (security risk, audit failure) and under-access (users blocked, service desk overwhelmed). This guide covers every layer — from the sys_user record to ACL evaluation order.

Diagramme interactif

User

sys_user

member of

Group

sys_user_group

has roles

Role

sys_user_role

vérifié par

ACL

sys_security_acl

Table level

Field level

Record level

Impersonation

Debug ACL tool

Role contient role

Héritage imbriqué

Assignment group

Routing des tasks

Opérations ACL : read · write · create · delete · execute

Évaluation dans l'ordre : 1. role check → 2. condition → 3. script avancé

Aucune ACL ne match = accès refusé par défaut (deny by default)

= anti-pattern : techniquement possible, déconseillé en production

💡 Survolez les éléments pour voir les définitions

The Access Model at a Glance

ServiceNow access works through a three-layer stack:

User ──member of──► Group ──has roles──► Role ──evaluated by──► ACL

Each layer adds a level of control. The most common mistake is short-circuiting this chain by assigning roles directly to users — see the Anti-Pattern section below.

Core Objects

`sys_user` — The User Record

Every person or technical system that interacts with ServiceNow has a sys_user record. Key fields:

Field	Type	Purpose
`user_name`	String	Login identifier
`email`	String	Notification destination
`active`	Boolean	If false, cannot log in
`department`	Reference	Used in routing and reporting
`manager`	Reference	Approval chain
`roles`	List	Do not assign directly — see anti-pattern

Example: jdupont is a user record with active = true, belonging to the group IT Support L1. She never has roles assigned directly — they come through her group membership.

`sys_user_group` — The Group

Groups cluster users around a business function. A group can simultaneously serve two purposes:

Security group: has roles → members inherit those roles automatically
Assignment group: routes tasks (incidents, changes, requests) to the right team

Field	Purpose
`name`	Human-readable label
`manager`	Group owner
`roles`	Roles inherited by all members
`members`	List of `sys_user` records
`email`	Used for group notifications

Example: The group Change Advisory Board has the role change_manager. Any user added to this group immediately gains change approval permissions — no individual role assignment needed. When they leave the CAB, removing them from the group revokes access instantly.

`sys_user_role` — The Role

A role is a named permission that grants access to modules, applications, or data. Roles can contain other roles (nested inheritance), which means granting one role can implicitly grant many others.

Role	What it grants	Contains
`itil`	Full ITSM module access (Incident, Problem, Change)	`approval_user`, `calendar_user`
`admin`	Full platform access	all roles
`change_manager`	Change approval workflow	`itil`
`asset`	ITAM / CMDB read-write	—
`knowledge`	Knowledge base authoring	—

Role inheritance example:

change_manager
  └── itil
        ├── approval_user
        └── calendar_user

Granting change_manager to a group gives members all four roles.

⚠️ Anti-Pattern — Direct Role Assignment

User ──────────────────────────────► Role   ← AVOID THIS
     (direct assignment, red arrow)

Why it's dangerous:

Audit nightmare: "Who has admin access?" requires checking both groups AND individual users
Stale access: when someone changes roles in the organisation, their individual assignments don't automatically update
No single source of truth: access model splits across two locations
CSA/CIS exam trap: this is a classic exam question — direct role assignment bypasses group governance

Exception: Service accounts and technical integration users (REST API callers, integration middleware) can legitimately have roles assigned directly, since they don't change function.

`sys_security_acl` — Access Control Lists

An ACL rule defines who can do what on which data. Every data access in ServiceNow triggers ACL evaluation.

ACL Evaluation Order

1. Role check    — does the user have the required role?
        ↓
2. Condition     — does the record match the condition (e.g. state = Active)?
        ↓
3. Advanced script — custom JavaScript returning true/false
        ↓
No match → ACCESS DENIED (deny by default)

Critical rule: If no ACL matches, access is denied by default. You must explicitly grant access — there is no "allow all" fallback.

ACL Levels

Level	Scope	Example
Table	Entire table	`incident` — who can read any incident?
Field	Specific field on a table	`incident.salary` — restrict sensitive fields
Record	Individual records via script	Caller can only see their own incidents

ACL Operations

Operation	What it controls
`read`	Can the user see the record/field?
`write`	Can the user modify it?
`create`	Can the user create new records?
`delete`	Can the user delete?
`execute`	Used for UI Actions (buttons, links)

Example ACL — Field level:

Field	Value
Table	`incident`
Operation	`read`
Field	`caller_id.salary`
Requires role	`admin`
Condition	—

→ Only admins can see the salary field of the incident caller. Everyone else sees the field as blank.

Assignment Group vs Security Group

These look identical (sys_user_group) but serve different purposes — confusing them is a common implementation mistake:

	Security Group	Assignment Group
Purpose	Controls who can access data	Controls who handles tasks
Key config	Has roles assigned	Used in `assignment_group` field on tasks
Example	IT Security Team (role: `sn_si.analyst`)	Network Ops (receives routed incidents)
Can be both?	✅ Yes — common pattern	✅ Yes — common pattern

Example: An incident categorised as Network is automatically assigned to the group Network Ops via an Assignment Rule. The team members can work the incident because they're also a security group with the itil role.

Implementation Roadmap

ServiceNow Access Model — Implementation Sequence

Click any step to expand · 5 steps

🏗️Define your group structure

Map your org chart to ServiceNow groups. One group per business function (IT Support L1, Network Ops, Change Advisory Board, HR Agents). Avoid creating groups per person.

Group listGroup-to-function mappingManager per group

🎭Assign roles to groups (not users)

👥Add users to groups

🔒Configure ACLs

📋Audit and continual review

Quick Reference

// Check a user's effective roles in a Background Script
var user = new GlideRecord('sys_user');
user.get('user_name', 'jdupont');
 
var roles = user.getValue('roles');
gs.info('Direct roles: ' + roles); // Should be empty if group-based model is correct
 
// Check via GlideSystem
gs.hasRole('itil');           // true/false for current session user
gs.hasRole('change_manager'); // true/false

Common Mistakes & Fixes

Mistake	Risk	Fix
Roles on users, not groups	Stale access, audit failure	Migrate to group-based model
One group for everything	No granularity, impossible to audit	Split by function
No ACLs on sensitive fields	Data exposure (salary, HR data)	Field-level ACLs with `admin` role requirement
Forgetting `deny by default`	Thinking absence of ACL = allow	Always test with a non-admin user
Clone overwrites TEST integration credentials	Integration breaks after clone	Set clone excludes for credential records

Part of the Digital Kimya (opens in a new tab) ServiceNow Guide Series — Scripts & Logic · Tables & Data · Deployment

⚡ Digital Kimya — MENA & Europe

Ready to implement what you've read?

Our ITSM practitioners deliver ITIL 4 & 5 projects across ServiceNow, Jira SM, SMAX and BMC Helix — from initial assessment to full ESM deployment.

🚀 ITIL Implementation🔧 ITSM Platform Setup📊 Assessment & Roadmap🏭 Industry-Specific Projects

Request a free assessment ← Visit digitalkimya.net

🌍 MENA & Europe🎯 ITIL 4 & 5 Certified🏢 6 Industries covered⚡ Assessment in 2 weeks

contact@digitalkimya.net

ServiceNow — ITSM Setup ⚙️ Scripts & Business Logic