How to Allow Group Managers to Manage Group Members?

Yaseen2 · ‎02-17-2020

Dear All,

Kindly note I've followed the below guide to give access to the group mangers to add/delete their own group members, but with no luck

https://community.servicenow.com/community?id=community_question&sys_id=ed71cb29db98dbc01dcaf3231f96...

I've created 4 ACLs read/write/create/delete

table :sys_user_grmember

sys_user_grmember.*

Condition: set Group.manager is dynamic

below you can find a sample of one of the ACLs:

List of ACLs:

Group manager view:

But still the group manger is unable to add or delete the group members noting that I've applied these ACLs both first with "itil, user_admin" roles and second time without roles but with no luck

Any suggestions please, if you can help me it's urgent.

Your feedback is highly appreciated

Best regards,

Yaseen.

Dan Shores · ‎08-19-2020

Hi -

I've been working on something similar and could not figure out how to allow group membership to be edited by a new group/role that is not admin level. I found the following ACL in our instance that was allowing this to happen. Once i added the role to this ACL it allowed me to edit group members.

Weird · ‎11-08-2020

This is a bit old but just in case I'll throw my thoughts into the mix if someone has trouble with this.

First of all make sure the user has create rights to the sys_user_grmember table.
Technically there's no record yet, so manager is me will not work as it can't match to a record.
You should allow for example itil to create memberships and then simply modify the edit condition in the list control for the group memberships related list (field might be hidden OOB), so not all of the itil users will see a button they don't need to see.

Also, Yaseen, your rules seem to be sys_user_grmember.* for the table.
The * is for all fields, but if you're not allowing access to the table itself (select none in the acl instead of star) then the user won't be able to do anything if there's an OOB rule in place.
So just create rules that should look like "sys_user_grmember" without any .something after them in the list.

New button might also show up, but there shouldn't be a need to create users from there, so feel free to omit it in the list control as well.

dalewechsler · ‎05-28-2021

Hi Joni,

I'm working on something similar and found your response helpful. When I added the role to the Create ACL for the sys_user_grmember table it worked - both New and Edit buttons appeared (yay). However, I've created a new role for someone to be able to edit existing group membership either by editing the group membership related list in the Group form, or via the Groups related list on the User table - but I don't want this role to be able to add a new group or a new user via those lists. My problem is I don't know how to get the List Control set so I can control the presence of the New button on either list for this new role.

When I go to the List Control from the Application Navigator, the new form doesn't have an active field for Table - just the field label, and the Related List field is empty and read only. When I go to the Group Table (sys_user_group) and Show List, I can click List Control and the table is populated, but the Related List field is empty and read only. When I try that from the Group Member (sys_user_grmember) list, same thing - Related List field is empty and read only.

I think what is missing is the OOTB configuration for group members control list mentioned in an earlier reply. It's not found under List Control, or by searching the sys_id provided in the earlier reply

I feel stuck at this point, even though I know what I need to do. Sorry, OP, for hijacking your question - but thanks for asking it, the replies have been very helpful 🙂

Weird · ‎05-30-2021

Hi Dale,
It's been a while since I last did anything with the list controls, but let's see if I can help. If I understood your question correctly you would like to prevent the new role from being able to use the "New" button. I usually handle the list controls from the related list directly:

Here we get the record directly affecting this related list and we can either omit the new button completely OR add roles that can see it:

I think that there can be cases where the List Control record doesn't exists so you wouldn't be able to find it in the table directly, but going to it through the related list, like shown above, will automatically create the record for you if it's missing.

dalewechsler · ‎06-01-2021

That's exactly the bit I needed - I needed to go to the related list itself and not the table, in order to create the List Control record. Thank you!!