Hi Phil,

This is exactly what I want to do. I want to use sys_user_grmember to have the group manager listed on the group to certify if the group member is still active or should be removed.

I'm going to work on this today. Ping me, if I might ask some questions or just to compare methods with yours. Sounds like you've been running this certification for awhile so you might be able to share your experience. 

Jeff

Happy to help if I can...

Great. Thanks.

My boss wants to generate cert tasks to have the manager of the group validate if the current members are still active, need removed or someone needs added.

I was thinking he should use the sys_user_grmember table so there would be a line item for each member to pass or fail. He was going to use the sys_user_group but that would be hard to just pass or fail. If they fail at the group level they would have to explain in work notes why and which users need added or removed.

You are using sys_user_grmember for you cert tasks, what field exactly on that table do you display for the task assignee to validate? Did you add a custom field to that table? or do they just pass or fail the user's name and provide a comment? What if the group manager wants to add a user, how do they communicate that for a group?

once the pass/fail are made, I assume you don't have the task assignee make the actual updates to groups so does someone else run a report on what failed, and then they make the changes based off that list of fails? or do you then create another task for an admin to do the remediations?

Not sure which approach to take as there are several ways to do it.

Hi again.

Yes, we run this off the sys_user_grmember table.  The display field is Group as it is members of the group(s) we are certifying.  The Certification field is User. 

The Assignment type is User Field and the Assign To value is Group Manager.  This assumes that each group has a Group Manager assigned.  If not, the tasks get sent to a named individual using the Assign to empty value.  Here's a screenshot of an example.

The Group Manager receives a task that contains one line for each individual in that group.  So if the group has 5 members they get 5 entries.  If they have 2 groups each with 5 members then they get  10 entries.

The way we work it, if they want the person to continue to be a member of the group then they pass the certification and no further action is required.  If they want the individual to be removed then they fail that entry on the certification and we (ServiceNow Admins) review the audit log to identify who should be removed.  We're working on automating that but need to be careful as we need to ensure the certifier really means that removal to happen.

Here's the output of the Audit log, the Failed entry needs our action to remove the individual from the group.

If someone wants a user added to a group then that's not a certification task, that's done through a catalogue item request.  That's also because only Admins have access to add users to groups.

by the way, we do other certification where the users can modify entries, they make the change then certify the entry as correct.  That's better than them having to make the updates separately.

Hope that helps a bit.  You are right, there may be various ways to do this and the real gap is that ServiceNow haven't really defined the full end to end process in their own documentation.

Phil