Multi-Level Role Inheritance Reporting for Audit Dashboard Using Database Views

Community Alums · 3 weeks ago

Hi All,

I am working on a dashboard to audit roles assigned to users where the role name contains the “admin” keyword, and I need suggestions for handling multi-level role inheritance from sys_user_role_contains.

Example:

User added to Group A
Group A has Role X
Role X contains multiple child roles
Those child roles contain more roles

Since Database Views are not recursive, what is the best approach to report complete inherited role hierarchy for audit dashboards?

Are people using:

fixed-level DB views,
Script Includes with recursion,
or some other approach?

Would appreciate suggestions from anyone who has implemented something similar.

vaishali231 · 3 weeks ago

Hey @Community Alums

For this requirement, I would avoid relying only on Database Views if you need to audit the complete inherited role hierarchy.

Database Views are not recursive, so they work only when the inheritance depth is fixed and known. In real role structures, sys_user_role_contains can have multiple levels, so a fixed-level DB View may miss roles once the hierarchy goes deeper than the joins you created.

Approach:

Use a Script Include or scheduled job to recursively resolve the role hierarchy, then store the flattened result in a custom reporting table. Build the dashboard on that custom table instead of calculating the full hierarchy live in the report.

High-level approach:

Get roles assigned directly to the user from sys_user_has_role.
Get roles assigned through groups using:

sys_user_grmember
sys_group_has_role

For each role, recursively check sys_user_role_contains.
Continue until no further child roles are found.
Store the resolved data in a custom audit table.
Use that table for dashboard/reporting.

Example custom audit table fields:

User

Assignment source: Direct / Group / Inherited

Group

Parent role

Inherited role

Role path

Contains admin keyword

Last calculated date

Important point:

While writing the recursive logic, maintain a visited role list to avoid duplicate processing or possible circular role references.

Example logic:

Start with Role X
Check child roles in sys_user_role_contains
For each child role, check if it also contains other roles
Continue recursively
Stop when there are no more child roles or the role was already processed

For reporting, I would suggest not running recursion directly inside the dashboard. Instead, calculate the data through a scheduled job and store it in a custom table. The dashboard can then simply report on the flattened table.

So the practical recommendation would be:

Fixed-level DB View: only suitable if hierarchy depth is small and predictable

Recursive Script Include: suitable for resolving the complete hierarchy

Custom flattened audit table: best option for dashboards and audit reporting

This pattern is usually more reliable for audit dashboards where both accuracy and performance are important.

*********************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh

Servicenow Developer
Linkedin - https://www.linkedin.com/in/vaishali-singh-2273361bb

vaishali231 · 3 weeks ago

hey @Community Alums

Hope you are doing well.

Did my previous reply answer your question?

If it was helpful, please mark it as correct ✓ and close the thread . This will help other readers find the solution more easily.

Thankyou & Regards

Vaishali Singh

Servicenow Developer
Linkedin - https://www.linkedin.com/in/vaishali-singh-2273361bb

Philippe Casidy · 3 weeks ago

Hi,

May I ask you? I might be missing a point here but...

Why isn't the sys_user_has_role table not enough?

You want a dashboard a people having any kind of "admin" role, right?

So

/sys_user_has_role_list.do?sysparm_query=role.nameLIKEadmin
Then you can group by users

When you need to know why this user has the role, you can use the Inheritance Map (data from PDI):

Please let me know what I am missing.

Community Alums · 3 weeks ago

Thanks for the response.

We are already using sys_user_has_role reports along with the Inheritance Map for investigation. The challenge is that the process is still manual.

What I am trying to achieve is a flattened reporting structure that captures the inheritance path behind the effective admin access, so that we can build dashboard insights.

The goal is to avoid manually tracing the Inheritance Map for each user during monthly audits and instead have a reportable/dashboard-friendly dataset.