ServiceNow User-Admin Configurations
Description
ServiceNow User–Admin Configurations
ServiceNow user-administration revolves around controlling who can do what within the platform. These configurations ensure proper access, governance, security, and workflow routing.
1. Users
Users represent individual people who interact with ServiceNow. Each user record includes identity and access attributes.
Key User Attributes
- User ID / Username
- Password (managed via SSO or local authentication)
- Email, Phone
- Department, Location
- Manager
- Time zone & language
- Assigned Roles
- Group Memberships
Common Admin Tasks
- Creating or importing users (manually or via LDAP/SSO)
- Assigning roles directly
- Adding/removing users from groups
- Enabling/disabling users
- Setting preferences (language, time format)
2. Groups
Groups are collections of users used for access control and workflow assignments.
Typical Group Types
- Assignment Groups (e.g., Service Desk, Network team)
- Approval Groups
- Change Advisory Boards (CAB)
- Security/Access Control Groups
Groups Include
- Group name & description
- Members (users)
- Group managers
- Roles assigned to the group
- Workflows they participate in (assignment rules, routing)
Best Practice
Assign roles to groups, not individual users.
→ Easier governance and onboarding/offboarding.
3. Roles
Roles define what a user can access or perform.
Types of Roles
- Base Roles – e.g., itil, catalog
- Admin Roles – e.g., admin, security_admin
- App-Specific Roles
- Custom Roles (created per business needs)
Role Behavior
Roles grant:
- Permissions (CRUD on tables)
- Application/module visibility
- UI actions, client scripts, server code execution
- Access to APIs and platform features
Role Assignment Methods
- Directly on the user record
- Indirectly through Groups
- Inherited through parent roles
4. Access Control Rules (ACLs)
ACLs ensure data-level security.
ACL Components
Each ACL rule may specify:
- Object type (record/table, field, script, processor)
- Operation (read, write, create, delete)
- Condition (must match)
- Role requirement (roles allowed)
- Script (optional advanced logic)
ACL Example:
Only users with the role itil can write to incident.state.
5. SSO, LDAP, and Authentication Integrations
User authentication often comes from external identity providers.
Supported Methods
- SSO / SAML
- OAuth 2.0
- OpenID Connect
- LDAP integration
- Multi-Factor Authentication (MFA)
Admin Responsibilities
- Configure identity providers
- Manage user provisioning (automation)
- Test login behavior & session policies
6. Delegation & Impersonation
Delegated Development
Allows controlled access to scripts and application configuration without full admin role.
Impersonation
Admin can impersonate users to test permissions and workflows.
Only users with the admin role can impersonate.
7. User Criteria (Service Catalog, Knowledge, etc.)
User Criteria restrict visibility of:
- Catalog items
- Knowledge base articles
- Service Portal pages
- Workspaces
Criteria can be based on:
- Roles
- Groups
- Departments
- Locations
- Users
8. Onboarding/Offboarding Automation
Admins often configure:
- Role provisioning workflows
- Dynamic group assignment rules
- HR-driven user creation & deactivation
Automation reduces manual errors in access management.
Summary Table
| Feature | Purpose | Admin Actions |
|---|---|---|
| Users | Represents individuals | Create, modify, disable, assign roles |
| Groups | Collections for assignment & access management | Add users, assign roles, manage approvals |
| Roles | Access permissions | Grant privileges to users/groups |
| ACLs | Secures table/field-level data | Build rule conditions, scripts, role checks |
| SSO/LDAP | Authentication | Configure providers, automate user management |
| User Criteria | Visibility control | Restrict catalog/knowledge access |
| Impersonation | Test user experience | Troubleshoot permissions |
Product Reviews