Active Directory nested groups to assign ServiceNow roles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2015 07:20 AM
We control access to applications from our Active Directory (AD) whenever possible as its a centralized point of control. We are implementing QuickStart with ServiceNow and running into an issue with nested groups. I'll give an example of what we want to do, and the problem that we are having.
We have organizational groups in AD that contain all the employees under a certain manager. So for a manager Sally, who has 3 employees (Bob, Brett and Billy), there is an AD group called "SallysEmployees" whose membership is comprised of Bob, Brett and Billy. There might be another manager called Tom, with an AD group called "TomsEmployees" with 3 members (Adam, Allison, Amy). You get the idea.
We want to use these organizational groups to assign ServiceNow security roles within ServiceNow. But because there may be more than one manager's group that needs access to a certain ServiceNow role, we want to make an AD group for each ServiceNow role we wish to control. So there would be AD groups called "ServiceNowAdmin", "ServiceNowITIL", etc. One AD group for each ServiceNow role that we wish to assign. If both Sally's and Tom's employees need to have the ITIL role in ServiceNow, we would add the "SallysEmployees" and "TomsEmployees" AD groups to the "ServiceNowITIL" AD group. Then have ServiceNow find all members in the "ServiceNowITIL" AD group, and assign these people the ITIl role within ServiceNow. Additionally, "SallysEmployees" might also need to be have the report_admin role (or some other role) in ServiceNow. So this AD group would be added to the "ServiceNowReportAdmin" AD group also.
This is EXTREMELY standard/simple stuff, and I've set up this exact same scenario for probably 50-75 other applications in my company, but our technical resource for our QuickStart is saying that this isn't possible. The response I've gotten back is "ServiceNow does not support groups having multiple parent groups", but the ServiceNow groups *don't* have multiple parent groups, there is a 1:1 relationship between the AD group and the ServniceNow group.
Can somebody please explain why this isn't possible, or let me know that it is indeed possible? I find it very, very, very difficult to believe that we are the only company using ServiceNow that wishes to do this, as it is an exceedingly common practice in AD.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2015 02:02 PM
I'm also looking for a solution to this. We've done a fairly complicated script where we map out a many-to-many type relationship table in order to get close to the solution we needed, but come up with new nested groups that need to be administered in our many-to-many mapping so that it works. I'd love to hear from someone who's solved this a simple way - like be able to drill into nested groups to get the user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2015 08:26 AM
I tried to explain how to import users from nested AD Security Groups in the following therad link. It works for me, i also using this method for group import and assign roles. Just change objectclass value as "objectclass=group" and use for nested group import. Hope this help you.
How to get LDAP Import to show Nested Groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2016 02:42 AM
Hi Murat,
What version is your ServiceNow instance? Thanks.
Blog: https://sys.properties | Telegram: https://t.me/sys_properties | LinkedIn: https://www.linkedin.com/in/slava-savitsky/