Hi,

ServiceNow team came back with an answer!

Essentially what they said is as part of "Contextual Security Manager" plugin, when a user is added to a group, they insert records in sys_user_has_role table at database level and suppress any BR to run against this table! Weird design but that's what it is.

Reply from HI:

Referring to the Contextual Security Manager documentation: https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/roles/reference/r_ContextualSecurity.html?cshalt=yes this plugin prevents duplicate entries with Contextual Security: Role Management V2. This plugin is active on your instance. As per the documentation, roles inherited from other roles are added as individual entries in the User Roles table [sys_user_has_role], potentially causing one role to have duplicate entries. Contextual Security: Role Management V2 eliminates these duplicate entries and prevents future duplicates. Its the same case as adding groups with the same roles containing it, without the plugin, the roles will be added to the sys_user_has_role record of the user and duplicate records will appear. With the plug installed, adding a group that contains roles that is already on the user's role list will not add a duplicate entry in the sys_user_has_role table, instead, the inheritance count is incremented. This plugin is activated on your instance. The description is of this plugin states: "Role Management Enhancements: prevent duplicate entries in sys_user_has_role for inherited roles, based on the value of the inh_count column" The documentation explains further: Contextual security and roles You can grant roles to users or groups. However, after installing the Contextual Security Manager, the roles field on the user record is no longer checked and no longer appears on your user and group forms. Instead, you must add roles to the Roles related list instead of to the user or group record. Solution Proposed/Investigation Summary: If the Contextual Security Manager plugin is activated on the instance, the BR's on the sys_user_has_role are not getting executed when the roles being added is coming from a Group. Only the BR's from sys_user and sys_user_grmember tables gets executed when adding a Group to a user record. The plugin prevents having duplicated roles in the sys_user_has_role table. When a particular role is already existing in the user's role list, and the role gets added again via the Group, the Inhertance count is incremented to reflect how many times that role was granted to the user. For your implementation, a possible workaround can be to add the BR on either the sys_user(after Insert/update) or sys_user_grmember which will go through the roles of the user.