Hi @pmcain90 ,

Yes, this is a common security feature in ServiceNow, and your diagnosis is correct. The problem is not with your ACLs but with role management.

The issue occurs because adding a user to a group that contains the itil role is not just a group membership change; it's an attempt to grant a significant system role. ServiceNow has a built-in security mechanism to prevent users from assigning powerful roles they don't have the authority to grant.

The silent failure happens because a background Business Rule checks if the current user (the Group Manager) has the permission to grant the itil role. Since they don't, the database transaction is aborted.

Yes, this is a common security feature in ServiceNow, and your diagnosis is correct. The problem is not with your ACLs but with role management.

The issue occurs because adding a user to a group that contains the itil role is not just a group membership change; it's an attempt to grant a significant system role. ServiceNow has a built-in security mechanism to prevent users from assigning powerful roles they don't have the authority to grant.

The silent failure happens because a background Business Rule checks if the current user (the Group Manager) has the permission to grant the itil role. Since they don't, the database transaction is aborted.

## The Solution: Use Role Delegation

The correct and most secure way to solve this is to use the Role Delegation feature. This allows you to explicitly grant specific users or roles (like your group managers) the ability to assign specific, powerful roles (like itil) to other users.

This gives you granular control without having to give your managers the full user_admin or admin roles.

### Step-by-Step Guide to Fix This:

1. Grant the Delegation Role:

   • First, ensure your Group Managers have the role_delegation role. This role allows them to act as a role delegate. You can add this role to your "Group Manager" group or assign it directly.

2. Create a Delegation Rule:

   • Navigate to User Administration > Role Delegation.

   • Click New.

   • Fill out the form:

     • Delegated to: Choose who can perform the delegation. You can select a specific group (e.g., your "Group Managers" group) or users with a specific role.

     • Grantable roles: This is the most important part. Click the lock icon and add the itil role to this list. You can add other roles if needed.

     • Assignable to: You can optionally restrict which groups or users the role can be assigned to, but for your use case, you can likely leave this blank.

3. Submit the new Role Delegation record.

@pmcain90 

that's expected. the addition/removal happens via backend scheduled job and not immediately if there are lot of records to process and involved system property "glide.ui.schedule_slushbucket_save_for_group_roles"

check below links

What job add or removes role(s) from user(s) of group and why has it been queued? 

Unable to Add Users with HR Roles to Groups When glide.ui.schedule_slushbucket_save_for_group_roles ... 

Adding / removing role to a group with high number of users does not add / remove role to all the us... 

As a workaround

If my response helped please mark it correct and close the thread so that it benefits future readers.