Issues with Role Inheritance when extending sys_user_group and sys_user_grmember

tomato20250 · yesterday

Hi everyone,

I am working on a requirement where I have extended sys_user_group into a custom table u_team and sys_user_grmember into u_team_member. My goal is to have roles automatically synchronized to users when they are added to u_team_member, similar to how the standard Group-Member relationship works.

I have implemented a Business Rule (I basically call the Script Include and do nothing else) and Script Include to manually manage these roles in the sys_user_has_role table. However, I am facing two major issues:

Role Deletion Conflict: If a user belongs to both a standard Group and a custom Team, and both entities provide the same Role A: When I remove the user from the Team, my script deletes Role A from the user's profile, even though they should still retain it via the standard Group membership.
Inheritance Map issues: * If I set inherited = true in my script, I struggle to keep it synced with the platform's native logic.
- If I set inherited = false, the Inheritance Map tool does not show the relationship, making it hard to audit where the role came from.

My questions are:

Is it feasible to make a custom table extended from sys_user_grmember behave exactly like the out-of-the-box one regarding role inheritance?
How does the Inheritance Map mechanism work under the hood? Does it only track records explicitly linked via sys_user_grmember? Are there any official documents or deep dives into how Inheritance Map work (I'm a ServiceNow newbie.)?