"User Not Authorized" error when clicking Edit on Group Members for groups containing a sn_shop role

lidorz
Tera Contributor

10 hours ago

Hi everyone,

I'm encountering a strange permission issue with the Edit... button on the Group Members (sys_user_grmember) related list, and I would appreciate some insight.

The Scenario:

  • We have a specific Scoped Application role: sn_shop_procurement_specialist.

  • For any standard group that does not contain this role, I can click the Edit button and manage group members perfectly fine.

  • However, for any group that contains this scoped role, clicking the Edit button and after i click save -  immediately throws a "User not authorized" error and blocks the operation.

what could be the problem?
Thanks in advance for your help!

0 Helpfuls
  • 105 Views
3 REPLIES 3

yvijay
Tera Contributor

10 hours ago

Hello @lidorz ,

 

We have previously similar kind of issues with one of the customer. Please follow the below process if it helps in your case.

 

 

  1. Test with a true user_admin or admin user.
    If that works, you’ve confirmed this is authorization around inherited role assignment, not a broken related list .

  2. Open the sys_user_role record for sn_shop_procurement_specialist and inspect Assignable by.
    If it is restricted, expand it appropriately or use the right assigning role.

  3. Run Security/ACL debugging while reproducing the save.
    Focus on denials against:

    • sys_user_grmember
    • sys_user_has_role
    • any custom ACLs or BRs tied to group membership / inherited roles.

  4. Check whether the group has any additional sensitive roles.
    If the group contains something privileged beyond sn_shop_procurement_specialist, that could be the actual blocker.

  5. Review custom BRs on user/group-role tables.
    This pattern is often caused by a control intended to limit who can add users into role-bearing groups.

Your issue is probably not that sn_shop_procurement_specialist is “bad”; it’s that adding a user to a group carrying that scoped role is treated as a role-assignment event, and your current operator is not authorized for that event.

 

 

Please mark the answer as helpful it it helps.

 

Thanks,

Vijay

 

 

0 Helpfuls

Tanushree Maiti
Tera Patron

9 hours ago

Hi @lidorz 

 

Validate this KB: 

KB0832559 user_admin role cannot update group membership when group contains scoped application role... 

 

Check the required  roles:

Components installed with Sourcing and Procurement Operations 

 

 

 

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti
0 Helpfuls

lidorz
Tera Contributor
In response to Tanushree Maiti

8 hours ago

hiii

the user that try to add member already have this role...
still doesnt work.

0 Helpfuls