That's unfortunate, ServiceNow said they would fix it in the upcoming patch at the time which was Quebec. Let me see if I can find the XML files they provided to fix it

Alrighty, these are all the issues we've had with response tasks and how to solve them. All solutions have been provided by ServiceNow.

Some backstory first: 
We want everyone to be able to work on response task, just the same as regular tasks. The good thing with Response Tasks and sn_si.external is that users can only see response tasks assigned to themselves (and with this solution provided, the group). We want this to work the same way as Incidents and Tasks. Helpdesk has control of the ticket and creates tasks when something needs to be done -> SOC owns the ticket, creates response tasks to be remediated by other teams.

The problem is when your company is quite large. Our SOC does not know which user can do what or happens to be sick, they only know that team A can fix problem A. Let's say you have a team of Windows engineers, and they don't work with Security Incidents.  Principle of least privilege, they are not given access to security incidents. However, team Windows have be able to solve Windows issues that arises Security Incidents, so our SOC creates and assigns response tasks. That way, SOC owns the ticket and can follow up/report/escalate whilst Team Windows only need to focus on fixing whatever is in the response task. 

TLDR: We have to be able to assign response tasks to groups outside SecOps

1. XML ACL rules to allow sn_si.external to see response tasks assigned to group.

Import the XML ACL to allow users to view group response tasks (1).xml

 
2. Disable rule <Assign to self> which will allow you to give response tasks to groups, and not just users.

https://YOUR-INSTANCE.service-now.com/sys_script.do?sys_id=7e7cfbf3b3f00300bfba81a516a8dcd5&sysparm_view=default&sysparm_view=default&sysparm_domain=null&sysparm_domain_scope=null&sysparm_record_row=1&sysparm_record_rows=41&sysparm_record_list=collection%3dsn_si_task%5eORcollectionINsn_si_task%2csm_task%2ctask%5ename%3e%3dInitially+assign+task+to+self%5eORDERBYname

3. When adding sn_si.external to groups outside SecOps, only sn_si.admin can modify group (add/remove users to that group)

When giving any sn_si. role to a group, only sn_si.admin can modify that group. We want sn_si.external to be excluded from that rule so Managers can again have control over their group. 

From ticket:

Solution Proposed:

I was able to discover several approaches that can provide the required functionality:

1. Creating a scheduled job that would be run as a user with sn_si.admin role and is going to be adding the sn.si.external role to the users.
(please note that this functionality would be a custom implementation, and we would only be able to provide you a general guidance in developing this functionality)


2. Creating a new role in the Global scope - please see KB for more details:
https://support.servicenow.com/kb?id=kb_article_view&sys_kb_id=ca0472bcdb8438d066e0a345ca961980


3. Create a new one or use one of the existing roles that would be set in the 'assignable by' in the sn_si.external role. 
(please refer to screenshots for more guidance)


4. If you wish to see this functionality in future releases please consider creating an enhancement request on the Idea Portal.

The Idea Portal is a new and improved method for you to submit product enhancement requests, view what others have submitted, vote on your favourite ones, and get feedback from ServiceNow product management.

We went for number 2, created a new sn_si.external role in Group scope and added the sn_si.external role to that role again. 

4. Users with sn_si.external cannot assign response tasks to themselves (read only) when response task is only assigned to group

Import XML ACL to allow users assign response tasks to themselves.xml.xml from attachment