BLOG - Track Role and Group Membership Changes via Notifications

TausifAhmedS
Tera Contributor

8 hours ago

ServiceNow focuses on maintaining detailed and auditable records for role assignments and group memberships through system tables. Although there is no dedicated out-of-the-box notification for these changes, the available data allows organizations to design custom notifications to meet governance and auditing requirements.

 

The tables involved are:

  • User Roles (sys_user_has_role) : Tracks roles that are assigned directly to users.

Group roles.png

 

 

  • Group Roles (sys_group_has_role) : Stores roles that are assigned to groups, which users inherit through group membership.

Group Members.png

  • Group Members (sys_user_grmember) : Captures user-to-group membership details, indicating which users belong to which groups.

Group Members.png

 

 

By leveraging these tables, administrators can reliably monitor role and group changes and build custom notifications to ensure proper visibility, auditing, and governance.

 

To configure notifications for role and group membership changes, an event-based approach is required along with a mail script to render the notification content.

The solution relies on three events:

  1. User role update 

  2. Group role update

  3. Group membership update

To trigger these events, "Before" Business Rules are implemented on the following tables for both insert and delete actions:

  • User Roles

  • Group Roles

  • Group Members

When a role or group membership is added, a new record is created in the respective table. When it is removed, the record is deleted. Using a Before Business Rule is critical for delete operations because once the record is removed, the associated data is no longer available. Capturing the required details before deletion allows the information to be stored in variables, passed as event parameters, and used later by the notification mail scripts.

For user role tracking, it is important to distinguish whether a role is assigned directly to a user or inherited through group membership. ServiceNow provides the inherited field on the sys_user_has_role table for this exact purpose.

  • When a role is assigned via group membership, the inherited field is automatically set to true.

  • When a role is assigned directly by an administrator, the inherited field remains false.

By applying a condition on this field in the Business Rule, we can clearly identify the source of the role assignment and maintain accurate visibility into how the role was granted or removed.

 

User Role Update

A Before Insert/Delete Business Rule is configured on the user roles table(sys_user_has_role).
Based on the operation, the action is identified as granted or removed, and relevant details such as the role, user, action type, and the user who performed the update are captured. These details are then passed as parameters to a custom event, which later drives the notification.

 

Event

  • Create a Event for User role added/removed (for example : kap.user.contact.role.update). 
  • To create a event navigate to All > Platform Analytics Administration > Data Collector > Event Registry.

Event User role.png

Business Rule:

  • Create a Before Business Rule.
  • To create business rule navigate to All > System Definition > Business Rule.

BR user role.png

 

    var operation = current.operation(); // insert / delete
    var action = "";

    if (operation === "insert") {
        action = "granted";
    } else if (operation === "delete") {
        action = "removed";
    } else {
        return;
    }

    // Build payload
    var payload = {
        role: current.role.getDisplayValue(),
        user: current.user.getDisplayValue(),
        updatedBy: gs.getUserDisplayName(),
        action: action
    };

    // Trigger event
    gs.eventQueue(
        "kap.user.contact.role.update",
        null,
        action,
        JSON.stringify(payload)
    );

 

Email Script :

  • Create a Email Script.
  • To create email script navigate to All > System Notification > Email > Notification Email Scripts.
    if (!event || !event.parm2) {
        template.print("Role update details are unavailable.");
        return;
    }

    var data = JSON.parse(event.parm2);
    var actionText = data.action === "granted"
        ? "Role Added to User: "+data.user
        : "Role Removed from User: "+data.user;

	var bodyStart = (data.action === "granted" ? "new role has been added to " : "role has been removed from the ");

	//Subject	
	email.setSubject(actionText);

	//Body
     template.print("<p>This is to inform you that a "+bodyStart+"user. Please find the details below:</p>");

    template.print("<p><b>Role: </b>" + data.role + "<br/>");
    template.print("<b>" + (data.action === "granted" ? "Added To User:" : "Removed from User:") + "</b> " + data.user + "<br/>");
    template.print("<b>" + (data.action === "granted" ? "Added By:" : "Removed By:") + "</b> " + data.updatedBy + "</p>");

 

Notification :

  • Create a Notification
  • To create a notification navigate to All > System Notification > Email > Notifications.

notification use role.png

 

User role added.png

User Role Added

 

user role removed.png

 

User Role Removed

 

Group Role Update

Similarly, a Before Insert/Delete Business Rule is implemented on the group role table.
Whenever a role is added to or removed from a group, the rule captures the role name, group name, action performed, and the user responsible for the change, and triggers a dedicated group role update event.

 

Event : Create a Event.

Business Rule : Create a Before Business Rule.

BR Group role.png

 

 

    var operation = current.operation(); // insert / delete
    var action = "";

    if (operation === "insert") {
        action = "granted";
    } else if (operation === "delete") {
        action = "removed";
    } else {
        return;
    }

    // Build payload
    var payload = {
        role: current.role.getDisplayValue(),
        group: current.group.getDisplayValue(),
        updatedBy: gs.getUserDisplayName(),
        action: action
    };

    // Trigger event
    gs.eventQueue(
        "kap.group.role.update",
        null,
        action,
        JSON.stringify(payload)
    );

 

Email Script : Create a Email Script.

    if (!event || !event.parm2) {
        template.print("Role update details are unavailable.");
        return;
    }

    var data = JSON.parse(event.parm2);
    var actionText = data.action === "granted"
        ? "Role Added to Group: "+data.group
        : "Role Removed from Group: "+data.group;

	var bodyStart = (data.action === "granted" ? "new role has been added to " : "role has been removed from the ");
	
	//Subject	
	email.setSubject(actionText);

	//Body
     template.print("<p>This is to inform you that a "+bodyStart+"group. Please find the details below:</p>");

    template.print("<p><b>Role: </b>" + data.role + "<br/>");
    template.print("<b>" + (data.action === "granted" ? "Added To Group:" : "Removed from Group:") + "</b> " + data.group + "<br/>");
    template.print("<b>" + (data.action === "granted" ? "Added By:" : "Removed By:") + "</b> " + data.updatedBy + "</p>");

 

Notification : Create a Notification

Notification group role.png

 

group role added.png

Group Role Added 

 

group role removed.png

 Group Role Removed

 

Group Membership Update

For group membership changes, a Before Insert/Delete Business Rule is configured on the group member table. This rule identifies whether a user was added to or removed from a group, captures the necessary details, and triggers a corresponding event to notify stakeholders about the membership change.

 
Event : Create a Event.
Business Rule : Create a Before Business Rule.
BR group member.png

 

    var operation = current.operation(); // insert / delete
    var message = "";

    if (operation === "insert") {
        message = "added to";
    } else if (operation === "delete") {
        message = "removed from";
    } else {
        return;
    }

    var users = {
		action: message,
        member: current.user.getDisplayValue(),
        group: current.group.getDisplayValue(),
        updatedBy: gs.getUserDisplayName()
    };

    gs.eventQueue(
        "kap.user.contact.group.update",
        null,
        message,
        JSON.stringify(users)
    );​

 

Email Script : Create a Email Script.

    if (!event || !event.parm2) {
        template.print("Group membership update details are unavailable.");
        return;
    }

    var data = JSON.parse(event.parm2);

    var actionText = data.action === "added to" ?
        "User Added to Group: " + data.group :
        "User Removed from Group: " + data.group;

    var bodyStart = data.action === "added to" ?
        "a user has been added to the " :
        "a user has been removed from the ";

    // Subject
    email.setSubject(actionText);

    // Body
    template.print("<p>This is to inform you that " + bodyStart + "group. Please find the details below:</p>");
    template.print("<p><b>User:</b> " + data.member + "<br/>");
    template.print("<b>" + (data.action === "added to" ? "Added to Group:" : "Removed from Group:") + "</b> " + data.group + "<br/>");
    template.print("<b>" + (data.action === "added to" ? "Added by:" : "Removed by:") + "</b> " + data.updatedBy + "<br/></p>");

 

Notification : Create a Notification.

Notification group member.png

 

User added to group.png

User Added to Group

 

User removed from group .png

 User Removed from Group

 

If you found this blog helpful, please mark it as helpful!

 

Regards,

Tausif

0 Helpfuls
  • 13 Views
0 REPLIES 0