How to allow a manager to add/remove members from their group in ServiceNow?

anjalikhara · yesterday

I have a requirement where the manager of a group should be able to manage the membership of their own group in ServiceNow. Specifically:

The manager should be able to add new users to the group.
The manager should be able to remove existing members from the group.

Currently, group membership is controlled by admins, but we want to delegate this responsibility to the group manager without giving them full admin rights.

What is the best way to achieve this in ServiceNow?

VaishnaviK43271 · yesterday

Hi @anjalikhara !!

This can be achieved without giving admin access by using the Group Manager field + ACLs.

1) Set the Group Manager

On the Group (sys_user_group) record, populate the Manager field with the user who should manage the group.

2) Create a Custom Role (Optional but Recommended)

Create a role such as:

group_manager

Assign this role to users who should manage group membership.

3)Add ACLs on Group Membership (sys_user_grmember)

Create ACLs for read / insert / delete on sys_user_grmember.

ACL Script Example:

(function () {
    var grp = new GlideRecord('sys_user_group');
    if (grp.get(current.group)) {
        return grp.manager == gs.getUserID();
    }
    return false;
})();

This ensures:

Managers can add/remove users
Only for groups they manage

4) Read Access to Group Record

Ensure the manager has read access to sys_user_group where:

manager == current user

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for.

Thank You

tiagomacul · 15 hours ago

While the user_admin role technically allows for group member management, it is often considered too broad for this requirement. From a Governance and Security perspective, granting user_admin would allow a manager to modify any user or group across the entire instance, which violates the principle of Least Privilege.

https://<instance>.service-now.com/now/nav/ui/classic/params/target/sys_user_role_list.do%3Fsysparm_query%3Dname%253Duser_admin%26sysparm_first_row%3D1%26sysparm_view%3D

Instead of broad roles, the most effective methods focus on Delegated Authority:

1. Service Catalog (The Strategic Choice) The most recommended approach is to use the Service Catalog. By creating a 'Manage Group Membership' item, the system can automatically verify if the requester is the manager of the selected group.

Value: It provides a clean Audit Trail and requires zero additional roles for the manager.
This aligns with the Now Create methodology of transforming administrative tasks into self-service value drivers.

https://youtu.be/EPOsxq4O1dE?si=DEi43eQ10QgIU2B1

2. Scripted ACLs (The Platform Choice) If the manager needs to work directly within the Group record, the best practice is to configure ACLs on the sys_user_grmember table.

A simple script can check if current.group.manager == gs.getUserID().
This allows the manager to add or remove members only for their specific groups, without the overhead and risk associated with the user_admin role.

3. Visual Task Boards (VTB) Managers can also use VTBs to drag and drop users into groups if the underlying ACLs support it. This offers a more modern user experience while still respecting security boundaries.

Strategic Insight: As discussed in the Digital Transformation Pillars, specifically regarding Governance (Pillar 5), the goal is to design a reproducible structure that scales. Using a broad role like user_admin creates 'technical debt' and security risks. By choosing a delegated approach—like a Catalog Item—the organization ensures that the 'TO-BE' state is both secure and auditable.

Moving from 'Administrator-led' to 'Business-led' tasks is a marathon toward operational maturity. For a deeper look at how to implement these governance frameworks using official best practices,

I recommend the Now Create methodology: ServiceNow Now Create: Practical Methodology