Ability to control the access for Parent - Child group in servicenow for specific application

Shanmuga Sunda2 · ‎08-04-2023

Hello,

We have created a list of groups which are specific to a particular customer. We are trying to grant the "user_admin" role to the parent group so that child groups can be managed by parent group.

Issue: But when granting the "user_admin" role to the parent group, the members belong to that group have access to modify all the groups and not only the groups that are specific for customer which is expected OOB functionality.

Requirement: Parent group members should edit only the child groups that belongs to a specific application and not globally. For instance, my application would be "Microsoft" and not "Global". Any assistance in this regard is much appreciated.

Thanks in advance!

Sandeep Rajput · ‎08-04-2023

@Shanmuga Sunda2 OOTB user_admin role grants read write permission on the sys_user_group table, since the users of the parent group are inheriting user_admin role, they are able to modify all the groups.

In order to limit their access, you need to modify the OOTB Write/Create ACLs defined on the sys_user_group and sys_user_grmember table and on the condition builder check if the Application is Microsoft and user is(dynamic) member of parent group.

Hope this helps.