ServiceNow – Granting Read-Only Access to sys_user_delegate for Service Desk Agents

Issue:
By default, the sys_user_delegate table in ServiceNow is restricted to admin roles. Service Desk agents cannot view delegate records, even if a custom ACL with READ rights is added.

Goal:
Allow Service Desk agents to see (a) whether a manager has a delegate and (b) who that delegate is, without granting admin privileges.

---

1. Understanding sys_user_delegate ACL Behavior
- Table: sys_user_delegate
- Default access: Only admin or delegate_admin roles
- Fields: delegate_from (manager), delegate_to (delegate), assignment type, start/end dates

The table is secured due to its sensitive delegation data.

---

2. Create a Read-Only Role (Recommended Safe Option)

Step 1: Create a new role
Name: delegate_viewer

Step 2: Create a new Access Control
Navigate to: System Security → Access Control (ACL)
- Type: record
- Operation: read
- Name: sys_user_delegate
- Requires Role: delegate_viewer

Step 3: Add condition (optional)
For full visibility:
answer = gs.hasRole('delegate_viewer');

For restricted visibility (same department only):
var currentManager = current.delegate_from;
if (gs.hasRole('delegate_viewer') && currentManager.department == gs.getUser().getRecord().department) {
answer = true;
} else {
answer = false;
}

Step 4: Assign Role
Grant delegate_viewer to the Service Desk Agent role or group.

---

3. Validate Access
After applying the ACL:
- Log in as a Service Desk agent
- Navigate to All → Delegates
- Verify records appear

If no results, check:
- ACL evaluation (System Security → Debug Security Rules)
- Role inheritance
- No conflicting “deny” ACLs exist

---

4. Out-of-Box Alternatives

Option A: Read-Only Report or Dashboard
Create a report on sys_user_delegate showing:
- Delegate from
- Delegate to
- Active
- Assignment Type
Grant access via roles instead of modifying ACLs.

Option B: Related List on sys_user Form
Add a “Delegates” related list to the User form (visible to Service Desk role).
Restrict fields or records via ACL or UI Policy.

Option C: Script Include for Portal/UI Widget
Expose data safely using a Script Include:
var DelegateHelper = Class.create();
DelegateHelper.prototype = {
getDelegatesForManager: function(managerSysId) {
var gr = new GlideRecord('sys_user_delegate');
gr.addQuery('delegate_from', managerSysId);
gr.addQuery('active', true);
gr.query();
var delegates = [];
while (gr.next()) {
delegates.push({
manager: gr.delegate_from.getDisplayValue(),
delegate: gr.delegate_to.getDisplayValue(),
type: gr.assignment_type
});
}
return delegates;
},
type: 'DelegateHelper'
};

---

5. Security Considerations
- Grant only read access (no write/delete)
- Hide unnecessary fields using field ACLs
- For portals, use REST or GlideAjax with filtered data

---

6. Recommended Best Practice
| Goal | Approach |
|------|-----------|
| Agents need full read-only access | Create role delegate_viewer + read ACL |
| Agents see only manager’s delegates | Use related list/report |
| Portal/Widget visibility | Script Include with GlideRecord |

---

✅ TL;DR
There’s no out-of-box non-admin role to view sys_user_delegate.
To safely allow visibility:
- Create delegate_viewer role
- Add read ACL on sys_user_delegate
- Assign to Service Desk Agents
Optionally, use reports or related lists for OOB-safe visibility.