First a little bit of background. My company originally had ServiceNow Business Edition (later to become Express) and the basic rule was if someone had the itil role, it consumed a license. Easy enough. We converted to Enterprise a bit over a year ago, and needless to say the roles are much more complicated. We are being told that we are now roughly 30 licenses over our current subscription due to so many people having "Fulfiller" roles in the system. The issue is though that we were still working off the premise that if the role wasn't "working" tickets in the system, it wasn't a fulfiller role.

We have created quite a few modules in the system for functions that don't exist OOB, and pretty much all of the roles being used to grant people access to these modules are being considered Fulfiller roles now. In addition I've been controlling access to various modules, lists, service catalog categories/items, etc. and many of those are also being considered Fulfillers as well. We also need to give some people/groups the ability to create their own reports, but even if they aren't normally fulfillers, apparently granting them the report_group role make them such.

Another issue that I'm seeing is that sometimes a user will have the same role duplicated on their user profile as many as 10x. Removing the duplicates is breaking their access, and there doesn't seem to be a way to actually determine which of the duplicated roles being applied are the one actually granting the access.

Overall what I am looking for is if there are best practices, clearly outlined for the following situations:

1. What is the best way to have nested groups (Parent/Child relationship) where roles are inherited, but sub groups might have different roles applied as well?
   1. Is it better to break inheritance in these cases? Does each of these roles applied to the child group get counted as a Fulfiller license if the data they are accessing are always in the same table/module?
   2. Does being a member of a group automatically make you a fulfiller?
   3. Does having access to READ records that are not your own (created by you) automatically make you a Fulfiller? We have several business cases in which groups of people need to SEE data, but will not interact with it, update it, etc.
2. If you have a manager that is overseeing several groups, that are spread across several modules/tables and they need access to see ALL the tickets related to his groups, do you need to create a special role, along with specific ACLs to allow that manager read only access instead of consuming several Fulfiller licenses?
   1. Again, in this case, if this manager is a member of several groups to control access, do we need to break inheritance of these groups and manage permissions manually? This could potentially become very manual labor intensive keeping track of the roles that a single person has or does not have.
3. How can modules, lists, records, etc. be hidden from view except for specific groups of people without that being seen as a fulfiller role? The items that they are viewing are only really going to be read, or in some cases it could be a Service Catalog items I don't want everyone to have access to, but the roles are being counted as fulfiller licenses when that isn't necessarily the case.
   1. I saw just today that there is User Criteria that can be used to define access to certain things like Service Catalog items, which is something I'll look into, but if I'm not mistaken this doesn't extend into lists of records, modules, tables, etc.
4. For our Technology department, we also have a role, "xxxxx_technology" that is being used to control views to show and hide various modules, but pretty much everyone also seems to have the "itil" role assigned as well (probably a holdover from ServiceNow Express honestly). The "xxxxx_technology" role contains the itil role, so does that mean anyone assigned the "xxxxx_technology" role is actually consuming 2 fulfiller licenses because they have both roles?
5. While I have gotten some feedback from our account rep, I would like some additional clarification on what will show up as a Fulfiller role on a compliance report:
   1. My impression is that if a role can create/write/delete on a table they are a Fulfiller. Is this always the case? Will roles that have read access to records in a table actually be excluded as not being a fulfiller?
   2. If a user is the member of a group that is placed in the "Assignment Group" field of a ticket form, does that automatically make them/their roles a Fulfiller? Information I received says "Yes - with some exceptions". What are those exceptions?
   3. Is being assigned any role at all going to consume a Fulfiller license? Again the information I received is "Yes, any role except a Requester role.", but that seems to potentially conflict with the idea that only create/write/delete roles count as fulfillers.

Overall I know that our Fulfiller license usage isn't very high, and my department Director doesn't want to potentially pay another $30k/yr for licenses that are not truly fulfiller licenses, but are more than happy to true up where necessary. Right now though it's hard to make heads or tails of our role situation. Any help, or guidance is greatly appreciated.