Issue with Adding Users to Groups via Service Account – Inconsistent Behavior
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2025 11:45 PM
Hi Community,
We're currently automating the process of adding users to groups in ServiceNow using a service account. The service account has been assigned the user_admin role.
When impersonating this service account, I’m able to add users to some groups successfully, but for certain other groups, the users are not being added, even though the system displays the message:
"Job has been queued to add users into group."
There are no visible errors, and the job appears to be triggered, but the users simply don’t get added to those specific groups.
Here’s what I’ve checked so far:
- The service account has the necessary roles (user_admin).
- The groups in question are active and not restricted by any custom logic (as far as I can tell).
- There are no obvious ACLs or business rules blocking the addition.
Has anyone encountered similar behavior?
Any insights or suggestions on how to debug or resolve this would be greatly appreciated!
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2025 09:03 AM
We have had an auto script to do this for a long time and it all of the sudden quit working on May 15 with the changes made to ACLs via query_match and query_range ACLs. We are in the middle of debugging this too. We used Access Analyzer > Analyze Permissions (also Analyze queries) to help us figure it out. It will allow you to analyze access to data by user, role, or group. Helps figure out those pesky ACL calls. Works on tables (but not database views), UI pages, Client callable script include, and REST endpoints.
What we found is there are ACLs on Scheduled Script Execution [sysauto_script] that is the issue. The only role that has that permission is admin. Instead of adding the admin role to our service account, we decided to add user_admin to the read, create, and delete ACLs for sysauto_script. We are testing out that solution now, but I think between adding user_admin to the service account and ACLs mentioned, it should work.
Hope I helped.
