Tracking Changes to Group Membership

jamesd25 · ‎10-16-2023

We have a need to track changes to group membership for auditing purposes.
This does not seem to be something out of the box or easy to accomplish. And this seems like a very normal thing to want to capture and be able to track.

How can we do this?

Claude DAmico · ‎10-16-2023

Does this article help?

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0996224

Claude E. D'Amico, III - CSA

Luiz Lucena · ‎10-16-2023

Hi James,

This IS something that ServiceNow does OOTB, however, for your instance it might not be configured.
I did something like that for our company and here is how.

First thing to do is make sure your group table is "audited", by that I mean this, you go to the dictionary table https://your_instance_here.service-now.com/sys_dictionary_list.do?sysparm_query=&sysparm_view=
In our case, we use the sys_user_group table, so in the Dictionary you need to make sure the Audit option is checked for the Collection type (only this one).

Once you enable that, you will be able to see any group membership changes when right clicking the header of a group or user record. Like below:

You will look for Label "relation":

You will be amazed that even changes made in the past will be shown! 🙂
Hope that helps.

Jamesd251 · ‎10-17-2023

This is super helpful Luiz! Maybe I'm looking at a bug. I performed these steps prior to the post and I could see one change I made to a group

But from then on, it will not record, or does not seem to, when I remove or add users. Very odd.

Luiz Lucena · ‎10-18-2023

Hi James,

Do you manage the groups within ServiceNow or do you import groups from another source like Active Directory (LDAP, for example)?