How to allow a manager to add/remove members from their group in ServiceNow?

anjalikhara · 3 weeks ago

I have a requirement where the manager of a group should be able to manage the membership of their own group in ServiceNow. Specifically:

The manager should be able to add new users to the group.
The manager should be able to remove existing members from the group.

Currently, group membership is controlled by admins, but we want to delegate this responsibility to the group manager without giving them full admin rights.

What is the best way to achieve this in ServiceNow?

tiagomacul · 3 weeks ago

While the user_admin role technically allows for group member management, it is often considered too broad for this requirement. From a Governance and Security perspective, granting user_admin would allow a manager to modify any user or group across the entire instance, which violates the principle of Least Privilege.

https://<instance>.service-now.com/now/nav/ui/classic/params/target/sys_user_role_list.do%3Fsysparm_query%3Dname%253Duser_admin%26sysparm_first_row%3D1%26sysparm_view%3D

Instead of broad roles, the most effective methods focus on Delegated Authority:

1. Service Catalog (The Strategic Choice) The most recommended approach is to use the Service Catalog. By creating a 'Manage Group Membership' item, the system can automatically verify if the requester is the manager of the selected group.

Value: It provides a clean Audit Trail and requires zero additional roles for the manager.
This aligns with the Now Create methodology of transforming administrative tasks into self-service value drivers.

https://youtu.be/EPOsxq4O1dE?si=DEi43eQ10QgIU2B1

2. Scripted ACLs (The Platform Choice) If the manager needs to work directly within the Group record, the best practice is to configure ACLs on the sys_user_grmember table.

A simple script can check if current.group.manager == gs.getUserID().
This allows the manager to add or remove members only for their specific groups, without the overhead and risk associated with the user_admin role.

3. Visual Task Boards (VTB) Managers can also use VTBs to drag and drop users into groups if the underlying ACLs support it. This offers a more modern user experience while still respecting security boundaries.

Strategic Insight: As discussed in the Digital Transformation Pillars, specifically regarding Governance (Pillar 5), the goal is to design a reproducible structure that scales. Using a broad role like user_admin creates 'technical debt' and security risks. By choosing a delegated approach—like a Catalog Item—the organization ensures that the 'TO-BE' state is both secure and auditable.

Moving from 'Administrator-led' to 'Business-led' tasks is a marathon toward operational maturity. For a deeper look at how to implement these governance frameworks using official best practices,

I recommend the Now Create methodology: ServiceNow Now Create: Practical Methodology

Ankur Bawiskar · 3 weeks ago

@anjalikhara

this KB has approach and tells which ACLs need to be modified

How to configure Group Members (sys_user_grmember) edit capability, so that only the Group Manager i...

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · 3 weeks ago

@anjalikhara

Hope you are doing good.

Did my reply answer your question?

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader