Way to make some users can create/delete role, user, and group.

shog · ‎08-22-2025

Hi,

I would like to make certain users in our instance able to perform the following actions:

1. Create and delete Users, Groups, and Roles.

2. Assign Roles to Users and Groups.

What I've already searched is:

1. Creating and deleting Users, Groups and Roles requires the admin role.

2. Assigning Roles requires the user_admin role.

My questions is :

1. Should I assign the user_admin role to those specific users?

2. Is there any better way to allow users to create/delete users, groups, roles without giving them the admin role?

Thank you for advice.

Dr Atul G- LNG · ‎08-22-2025

Hi @shog

As per recommendation, user_admin is the minimum role required to update a user. It’s better to use the out-of-the-box role instead of creating a new ACL

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

View solution in original post

Rafael Batistot · ‎08-22-2025

Hi @shog

admin

Full system control (including create/delete users, groups, roles, etc.).
Too much power for what you’re describing.

user_admin

Can assign roles to users and groups.
Does not by default create or delete users, groups, or roles.

Your Requirements vs. Roles

Create/Delete Users & Groups

Out of the box, this requires admin.

Create/Delete Roles

Also requires admin (and should usually be very tightly controlled — roles define access).

Assign Roles

Requires user_admin (or a custom delegated ACL).

If you found this response helpful, please mark it as Helpful. If it fully answered your question, consider marking it as Correct. Doing so helps other users find accurate and useful information more easily.

Nikhil Bajaj9 · ‎08-22-2025

Hi @shog ,

Please check this - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0723786

This may give you an idea how you can achieve it.

This is ACl solution but if you want - you can also create - Catalog item + Flow or Record producer to create User/Group and you can control it using User criteria.

If my answer helped you, please mark it- solution accepted.

Regards,

Nikhil Bajaj

Please appreciate my efforts, help and support extended to you by clicking on – “Accept as Solution”; button under my answer. It will motivate me to help others as well.
Regards,
Nikhil Bajaj

ServiceNow Rising Star-2025

Dr Atul G- LNG · ‎08-22-2025

Hi @shog

As per recommendation, user_admin is the minimum role required to update a user. It’s better to use the out-of-the-box role instead of creating a new ACL

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************