Manage Users Roles Groups Best Practice

garyhopson
Kilo Explorer

‎12-11-2017 12:33 PM

In our ServiceNow instance we have a number of Groups and Roles that were brought in from Active Directory. My question is Two Fold:

1) Is there a way to create a Report showing Groups - The Roles associated with the Group and the Users assigned to the group. (We have over 3600 Groups in serviceNow along with Roles assigned directly to users rather than Roles assigned to Groups and then Users assigned to groups.

2) What is the Best Practice for Group Management. Is there a suggested list of necessary Groups and Roles? (We have implemented Helsinki with plans to upgrade to Jakarta over the next few months. I would like to clean up the environment prior to that. We are currently using the following Modules

  • Knowledge management
  • Incident management
  • Change management
  • Service Catalog
  • Password Reset
  • App Inventory
  • (Looking at CMDB and Release Management)

Thanks for your suggestions.

Gary Hopson

Senior IT QA Analyst

ITG Brands

Gary.Hopson@ITGBrands.com

0 Helpfuls
  • 3,986 Views
2 REPLIES 2

dwerner
Kilo Sage

‎12-11-2017 03:27 PM

I don't think it's possible to create the report you are looking for.  



I don't know if this is the best practice but we created self-fulfilling (upon manager approval) catalog items for group creation and group membership.   Basically allowing managers to create and maintain their own groups.   The groups are automatically granted roles based on their type when created; incident, approval, catalog, agile, etc.   Our ServiceNow team maintains the managers of the groups.   We did this for auditing purposes as opposed to just giving managers the role of user_admin.



Maybe that helps?



Dustin Werner


Software Developer 3


Costco Wholesale


Jonathan Brown
Kilo Guru

‎12-20-2017 07:18 AM

For question 1


If I understand your question correctly...


I run a report off of the User Role (sys_user_has_role) table.


The table has a field called Granted By that should tell you if the role is inside a group or at least gave that person this role because of that group.   If its blank then the role is listed directly to the person.   I am not 100% sure how this works with roles embedded into roles but at least its a good starting point.



Then just bring in Role, Granted by, User and dot walk for the rest of the user record you need. You could probably export and do a pivot table on the granted by to get what you need.