Optimizing Unrestricted User Licensing - Identifying Required Users via AD Groups

adithyamasetti
Tera Contributor

an hour ago

Hi Community,

We're working to optimize our ServiceNow licensing costs for products using the Unrestricted User model (IRM, BCM, and AppEngine) and looking for guidance on user population management strategies.

Background: Per our ServiceNow representative, our IRM, BCM, and AppEngine products are licensed via the Unrestricted User model, which is based on every active user in the User (sys_user) table. We currently pay for 5,124 active users, but we suspect many of these users may not actually need access to our ServiceNow processes.

Our Goal: We want to rightsize our sys_user table to include only users who actually require access for existing business processes, rather than syncing all active directory users by default.

Our Approach:

  1. Audit existing processes - Review each ServiceNow process to identify which user groups are actually required
  2. Identify ungrouped users - Determine if users without EGRC AD group assignments are actually participating in any processes
  3. Create targeted AD groups - Work with our Product team to establish specific AD groups for legitimate process participants
  4. Modify AD integration - Adjust our Active Directory integration to populate sys_user only with members of these identified groups

Questions for the Community:

  1. Has anyone successfully reduced Unrestricted User licensing costs through AD group management?

    • What was your process for identifying truly necessary users?
    • What percentage reduction did you achieve?

  2. What's the best approach for auditing user requirements across processes?

    • Automated reporting/queries to identify active users by process?
    • Tools or scripts you've used to map users to actual process participation?
    • How do you handle edge cases (occasional users, seasonal access, etc.)?

  3. How do you manage AD integration to control sys_user population?

    • Do you sync only specific AD groups rather than all users?
    • How do you handle new user onboarding to ensure legitimate users get added?
    • Any pitfalls or gotchas with filtering AD sync?

  4. What governance did you put in place?

    • How do you prevent sys_user table bloat over time?
    • Process for requesting new user additions?
    • Regular audits or cleanup procedures?

  5. How did you handle stakeholder communication?

    • Pushback from departments losing broad access?
    • How did you document and justify which users were retained vs. removed?

  6. Licensing implications and best practices:

    • Did ServiceNow have any specific requirements or recommendations for this approach?
    • Any contract or compliance considerations we should be aware of?
    • Is there risk that ServiceNow audits could challenge this approach?

What We're Looking For:

  • Real-world examples of successful user table optimization
  • Proven methodologies for identifying required users
  • Technical approaches for AD group-based user management
  • Potential risks or downsides we should consider
  • Any queries, reports, or scripts that helped with the analysis

Additional Context:

  • We have EGRC (IRM) deployed along with BCM and AppEngine
  • Currently syncing broadly from AD, resulting in 5,000+ active users
  • Looking to reduce licensing costs while maintaining process functionality

Has anyone tackled a similar challenge? Any guidance would be greatly appreciated!

Thanks in advance!

0 Helpfuls
  • 75 Views
0 REPLIES 0