Flow fails to remove user from HR Group, even when flow is set to "Run as system user".

Chandrakanth V · 4 hours ago

Delete/remove user from groups via flow designer. But faced error as "unknown error occurred".
Flow is set to Run as System user, Flow is in global scope.
Tried to check docs as well. No luck with provided solution: Security issue while adding/removing users from HR... - ServiceNow Community

Also want to know, run as system user should Bypass all restrictions right? why not in this case.

Thanks

Bhuvan · 4 hours ago

@Chandrakanth V

Refer below knowledge article to resolve the issue

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0996223

If this helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan

M Iftikhar · 4 hours ago

Hi @Chandrakanth V,

When a flow runs as System User, it bypasses the triggering user’s session restrictions, but it does not override all ACLs or platform-enforced security. Tables like sys_user_grmember (user-group memberships) and HR data have strict protections that still apply, which is why you’re seeing the “unknown error.”

A couple of tips:

Check System Logs > All right after the error .You’ll usually see the ACL/security rule that blocked the action.
Test the same operation with a background script on sys_user_grmember. If it fails there too, it’s an ACL/security restriction, not Flow Designer itself.
If this action is required, you may need to adjust the ACLs or create a Script Include/Action with elevated role context, then call that from Flow.

So , Run as System User ≠ unrestricted access everywhere. Platform security still applies.

Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution so others can benefit as well.

Ankur Bawiskar · 4 hours ago

@Chandrakanth V

are you trying to remove user from HR group or it's a normal group?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

ayushraj7012933 · 3 hours ago

Solution:-

🔹 Trigger

Use any of the following:

Record Update on sys_user where active = false
Catalog Item submission for termination
Scheduled job or custom trigger

🔹 Step 1: Lookup Records

Action: Lookup Records
Table: sys_user_grmember
Condition: user = [Terminated User Sys ID]
Output: GroupMemberships

🔹 Step 3: Script Step (Inside For Each)

Action: Script
Inputs:

groupMembershipSysId = Membership.sys_id

Script: (function execute(inputs, outputs) {

var gr = new GlideRecord('sys_user_grmember');

if (gr.get(inputs.groupMembershipSysId)) {

if (gr.canDelete()) {

gr.deleteRecord();

outputs.status = 'Deleted';

} else {

gs.error('ACL prevents deletion of group membership: ' + gr.sys_id);

outputs.status = 'ACL Blocked';

}

} else {

gs.error('Group membership not found: ' + inputs.groupMembershipSysId);

outputs.status = 'Not Found';

}

})(inputs, outputs);

Outputs:

status: Track deletion result