ServiceNow User Groups are vital for controlling the assignment of tasks, security, notifications, and approvals of your instance. This is the control layer that allows you to ensure your team gives the right people the right access to the right data.
User groups themselves are not unique to ServiceNow. Nearly every major technology asks the Enterprise to assign different kinds of roles to different levels of users. ServiceNow is no different from a technical standpoint: user groups are a core configuration element that assigns records for users, and attaches roles for them.
No matter which ServiceNow product you are working with, you will need to assign roles and access permissions for your team. You will want to assign a host of different purposes, with multiple people in each group, including assignment groups, security groups, and notification groups, etc. For example, if you want people to be able to add users or create reports, you would assign them as administrators.
What we do find unique in ServiceNow is the way that clients approach their user group strategy and the details that follow from those decisions. What we find with many clients is that they just roll over their existing user group layout or strategy – if they think about User Group assignments at all.
There’s a better way to think about User Groups as you launch your ServiceNow journey. Developing a consistent approach to managing user groups when configuring your core processes, products, and applications, will greatly simplify system administration. Further, while you are revisiting and reconfiguring your entire workflows or other systems of work, it makes sense to take a little bit of time to think about who need to see (and edit) which screens, and what reporting you want to socialize throughout the team vs. your entire organization.
This blog lays out the most common considerations for User Group structures, plus some recommendations you might want to consider as you lay out your ServiceNow User Group strategy.
1. Controlling User Group Membership
Getting deliberate on how to assign and control group membership is the first step in getting your User Group house in order. As you can imagine, assigning membership of user groups can have an impact on operations, security, and even licensing (money).
Particularly, on the security side, there can be long-term ramifications in giving the wrong people access to sensitive material.
There are two ways you can assign group membership:
- Automatic: You can choose to directly import a list of groups ad members from your Active Directory via LDAP or some other data source. Automatic assignments are great if you have strong existing controls around your groups from the original data source. If you don’t, you may find yourself using more licenses than you planned and having a tough conversation with your sales rep.
- Manual: You can also elect to manually edit group membership on a one-by-one basis. Maintaining groups and membership isn’t usually an onerous task, and should be feasible to manage internally. If you are taking the manual route, you will still need a coherent process to control User Group membership, role assignments, and ultimately licensing.
You can take a few approaches to manually assigning users in ServiceNow: We’ve seen clients give group managers the ability to edit the membership list, as well as clients who’ve set up a service catalog item to request group membership with group manager approval. Both of these methods work well, they ease the work load of the sys admin and speed up the process. Just make sure the group managers understand the license model.
2. Regulating ServiceNow User Group Approvals
ServiceNow’s user groups can also control who approves a request, which can be everything from a budget sign-off to a product upgrade request.
Because approvals can come from either a single person or a group, you will want to enumerate the specific detailed controls assigned to your group approval process. Some technical scripting will create approvals from one person from the group to approve, or the whole group, or something in between (usually done via a custom script).
In addition to group approvals, you will need a strategy for handling rejections – whether that will come from a single person or a group. The key here is to list out these processes, and then ensure that your technical configurations match your real-world needs.
Pro Tip: Because ServiceNow user groups are often used for multiple purposes, I recommend using the “Type” field to identify specific reference qualifiers and general administration. (Hint: you can create as many types as you need too.)
3. Enabling ServiceNow User Notifications
User groups assignments are also used to send ServiceNow notifications to all the members of a specific group. For example, you may have a create an Incident Notifications Group to include all of your IT Managers, and send out real-time alert in the event that anything serious happens in your system.
Your notifications groups can include multiple users, and more than one team. From a technical standpoint, notifications are deployed to a group email address, if you have a single email address for the group (like email@example.com). Alternatively, if the group does not have a designated email address, then your notification email will route to all the members of the group.
As you assign members to user groups, you want to think carefully about who will be able to see what. As a general rule of thumb, corporate security best practices suggest that you cut down as much entropy in your system as possible, and offer the minimal possible permissions you need to in order for someone to do their job. So, if someone needs visibility into monthly reporting, don’t give them administrative “God privileges” – you just don’t know what their untrained eye will accidentally click or configure.
As you develop your security groups, ServiceNow recommends that you use group assignments to contain roles, which means that all of the members of a group would get the same roles.
Role creation can vary by organization. Usually, groups that are being used for task assignments will include one or more role types – so that members of that group are able to perform assigned tasks.
However, you can specifically create a group for the sole purpose of giving users access to a specific feature, such as permitting a subset to edit records – a set up that is particularly useful if the editors are members of multiple teams.
A word of caution: You never want to assign the “admin” role to a group. Admin roles should be pretty closely managed and tracked. However, if a group is assigned as the “admin” – then any users with access to edit groups, could put themselves (or other people) in a group with admin roles, and ultimately give themselves (or others) admin access.
Pro Tip(s): A couple of things to remember about permissions: Often, giving a role to a user will mean they consume a license, you need to manage this carefully to control your costs.
5. Similar Activities
Last, but not least, the most common use for a group is to control task assignments. Activities groups are typically aligned with a team of people, e.g. the Service Desk or Database Support, and routes, groups, manages, and monitors like-tasks.