Fulfiller can't add/remove user from a handful of groups

Casey Verhagen · ‎08-08-2024

We have a team member in IT who is an ITIL user and also has the user_admin role. For years he has been the one adding/removing people from assignment groups as we hire/terminate employees. Starting kind of a while ago (maybe a year or so), we've noticed that he is unable to add/remove users from a couple of groups and we can't figure out why. When he attempts doing this from the related list on either the user record, or from the group record, the message below is shown.

The only correlation I see with the assignment groups he is unable to add/remove from is that they are newer groups that were created when we brought some additional teams into the world of ServiceNow. Many of our groups were created a long time ago and those don't seem to cause this issue. Also, I was the one who created the groups, and I didn't do anything fancy in the background that would prevent him from being able to modify the user/groups.

I tried removing the user_admin role from his user record and reapplying it thinking maybe the role was bugged, but this didn't seem to change anything.

Any thoughts on why this may be happening or how to resolve it?

TIA

Casey Verhagen · ‎01-31-2025

I forgot to come back and post the solution to this. We had implemented Workplace Service Delivery a while back (probably within that one year timeframe I mentioned in the post). The issue was that, while the person trying to remove the user from the group has the user_admin role, he didn't have the necessary roles to manage users who had roles related to Workplace Service Delivery. Giving him the user management role (I forget exactly what it was called) for WSD allowed him to add/remove people without that error popping up.

View solution in original post

Brian Lancaster · ‎08-08-2024

Is this reproducible in your non-prod environments? If so have your tried debugging security?

Casey Verhagen · ‎01-31-2025

I forgot to come back and post the solution to this. We had implemented Workplace Service Delivery a while back (probably within that one year timeframe I mentioned in the post). The issue was that, while the person trying to remove the user from the group has the user_admin role, he didn't have the necessary roles to manage users who had roles related to Workplace Service Delivery. Giving him the user management role (I forget exactly what it was called) for WSD allowed him to add/remove people without that error popping up.