We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

"User Not Authorized" error when clicking Edit on Group Members for groups containing a sn_shop role

lidorz
Tera Contributor

Hi everyone,

I'm encountering a strange permission issue with the Edit... button on the Group Members (sys_user_grmember) related list, and I would appreciate some insight.

The Scenario:

  • We have a specific Scoped Application role: sn_shop_procurement_specialist.

  • For any standard group that does not contain this role, I can click the Edit button and manage group members perfectly fine.

  • However, for any group that contains this scoped role, clicking the Edit button and after i click save -  immediately throws a "User not authorized" error and blocks the operation.

what could be the problem?
Thanks in advance for your help!

3 REPLIES 3

yvijay
Tera Contributor

Hello @lidorz ,

 

We have previously similar kind of issues with one of the customer. Please follow the below process if it helps in your case.

 

 

  1. Test with a true user_admin or admin user.
    If that works, you’ve confirmed this is authorization around inherited role assignment, not a broken related list .

  2. Open the sys_user_role record for sn_shop_procurement_specialist and inspect Assignable by.
    If it is restricted, expand it appropriately or use the right assigning role.

  3. Run Security/ACL debugging while reproducing the save.
    Focus on denials against:

    • sys_user_grmember
    • sys_user_has_role
    • any custom ACLs or BRs tied to group membership / inherited roles.
  4. Check whether the group has any additional sensitive roles.
    If the group contains something privileged beyond sn_shop_procurement_specialist, that could be the actual blocker.

  5. Review custom BRs on user/group-role tables.
    This pattern is often caused by a control intended to limit who can add users into role-bearing groups.

Your issue is probably not that sn_shop_procurement_specialist is “bad”; it’s that adding a user to a group carrying that scoped role is treated as a role-assignment event, and your current operator is not authorized for that event.

 

 

Please mark the answer as helpful it it helps.

 

Thanks,

Vijay

 

 

Tanushree Maiti
Tera Patron

Hi @lidorz 

 

Validate this KB: 

KB0832559 user_admin role cannot update group membership when group contains scoped application role... 

 

Check the required  roles:

Components installed with Sourcing and Procurement Operations 

 

 

 

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.
Regards
Tanushree Maiti
ServiceNow Technical Architect
LinkedIn: https://www.linkedin.com/in/tanushreemaiti

hiii

the user that try to add member already have this role...
still doesnt work.