Flow fails to remove user from HR Group, even when flow is set to "Run as system user".

Chandrakanth V · 3 weeks ago

Delete/remove user from groups via flow designer. But faced error as "unknown error occurred".
Flow is set to Run as System user, Flow is in global scope.
Tried to check docs as well. No luck with provided solution: Security issue while adding/removing users from HR... - ServiceNow Community

Also want to know, run as system user should Bypass all restrictions right? why not in this case.

Thanks

Bhuvan · 3 weeks ago

@Chandrakanth V

Running the flow as system user does not mean you can delete the records by default as it will honour role base access and ACLs defined for the table & fields.

Change the flow to run as user who initiated the session and make sure user can delete the records

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0760287

Try to mimic this manually or from background scripts to check for behavior and log the information to understand why delete operation is not allowed.

If this helped to answer your query, please mark it helpful & accept the solution.

Thanks,

Bhuvan

M Iftikhar · 3 weeks ago

Hi @Chandrakanth V,

When a flow runs as System User, it bypasses the triggering user’s session restrictions, but it does not override all ACLs or platform-enforced security. Tables like sys_user_grmember (user-group memberships) and HR data have strict protections that still apply, which is why you’re seeing the “unknown error.”

A couple of tips:

Check System Logs > All right after the error .You’ll usually see the ACL/security rule that blocked the action.
Test the same operation with a background script on sys_user_grmember. If it fails there too, it’s an ACL/security restriction, not Flow Designer itself.
If this action is required, you may need to adjust the ACLs or create a Script Include/Action with elevated role context, then call that from Flow.

So , Run as System User ≠ unrestricted access everywhere. Platform security still applies.

Thanks & Regards,
Muhammad Iftikhar
If my response helped, please mark it as the accepted solution so others can benefit as well.

Ankur Bawiskar · 3 weeks ago

@Chandrakanth V

are you trying to remove user from HR group or it's a normal group?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

ayushraj7012933 · 3 weeks ago

Solution:-

🔹 Trigger

Use any of the following:

Record Update on sys_user where active = false
Catalog Item submission for termination
Scheduled job or custom trigger

🔹 Step 1: Lookup Records

Action: Lookup Records
Table: sys_user_grmember
Condition: user = [Terminated User Sys ID]
Output: GroupMemberships

🔹 Step 3: Script Step (Inside For Each)

Action: Script
Inputs:

groupMembershipSysId = Membership.sys_id

Script: (function execute(inputs, outputs) {

var gr = new GlideRecord('sys_user_grmember');

if (gr.get(inputs.groupMembershipSysId)) {

if (gr.canDelete()) {

gr.deleteRecord();

outputs.status = 'Deleted';

} else {

gs.error('ACL prevents deletion of group membership: ' + gr.sys_id);

outputs.status = 'ACL Blocked';

}

} else {

gs.error('Group membership not found: ' + inputs.groupMembershipSysId);

outputs.status = 'Not Found';

}

})(inputs, outputs);

Outputs:

status: Track deletion result

SupriyaWaghmode · 3 weeks ago

Hello @Chandrakanth V ,

Test the delete action manually by entering the required details.
– If the action works as expected, proceed to step 2.
Verify the scope of the HR group and ensure the mentioned user is included.
Copy the flow into the HRSD scope and test it there.
Validate the ACL delete record on user table.

If this resolve your query then mark as Accepted/ if its useful to you then mark as Helpful.

--

Thanks & Regards ,

Supriya Waghmode |ServiceNow Consultant

www.linkedin.com/in/supriya-waghmode