Workflow can no longer update sys_user_group manager field

Go to solution
Cheri M
Kilo Sage

‎01-10-2024 08:09 AM - edited ‎01-10-2024 08:24 AM

Hello,

I have a weird issue suddenly. Scenario, I have a workflow that goes to AD, updates the group manager and then, a script activity that updates the group manager field in ServiceNow - these are not type security group. This was created years ago and was tested and worked.  Suddenly we notice it is not updating the manager field in SN. The import from AD at night does update the field but there are some scenarios where it needs to be update immediately to create a new approval to the new group manager.

I checked my script as myself (admin) and it runs fine.  When I ran it in the WF I see this error in the logs.
'User mid_server_dev does not have the role 'sn_si.admin' which is required to grant/remove 'sn_si.read' under application administration, Resource: 'record/sys_user_group/write'

Odd, but in dev I added that role to the mid server account and it worked. WHY would it need that role to update a group manager on an ITIL group (not security group)?  Anyone else experience this?

Thanks,

Cheri

0 Helpfuls
  • 668 Views
1 ACCEPTED SOLUTION

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron
In response to Cheri M

‎01-10-2024 10:12 AM

Did someone add sn_si.read under itil by mistake?


Please mark this response as correct or helpful if it assisted you with your question.

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron

‎01-10-2024 09:51 AM

Can you check if the group has a role sn_si.read? If so, to grant manager access to that group, the mid server would need that role sn_si.admin.


Please mark this response as correct or helpful if it assisted you with your question.
0 Helpfuls

Go to solution
Cheri M
Kilo Sage
In response to SanjivMeher

‎01-10-2024 10:08 AM

Thank you for your reply. The only role it has is itil.  Only Type is itil.

0 Helpfuls

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron
In response to Cheri M

‎01-10-2024 10:12 AM

Did someone add sn_si.read under itil by mistake?


Please mark this response as correct or helpful if it assisted you with your question.
0 Helpfuls

Go to solution
Cheri M
Kilo Sage
In response to SanjivMeher

‎01-10-2024 10:19 AM

Well thank you for pointing me in the right direction, I didn't think to check roles under itil.
Yes sn_si.read was added. There was a direction to allow all ITIL to read sec. incidents despite my protest, it happened.  I will do some workaround for that org requirement like perhaps writing ACLs.

0 Helpfuls