Subscription management for ITSM pro: Unallocated subscriptions for users with itil role

Smith Johnson
Tera Guru

Hi experts,


I have a question for subscription management.

We have a subscription for ITSM pro with 355 purchased subscriptions.

SmithJohnson_5-1727783890011.png

 

 

I see that one of the associated roles of the ITSM pro is "itil".

SmithJohnson_1-1727782920113.png


28 users have currently this role.

SmithJohnson_4-1727783135642.png


However, when I review the subscription management dashboard, I see that the subscribed users are 0.

SmithJohnson_2-1727782950571.png

Plus the following insight message for the 355 unallocated subscriptions.

SmithJohnson_6-1727784182982.png


Any ideas why the number of itil users is not reflected in the subscription management?
Why we see the message of unallocated subscriptions, even if people are actually working with incidents, etc.?

Thank you,
Smith.

1 ACCEPTED SOLUTION

Kieran Anson
Kilo Patron

You need to allocate users to the subscription. ServiceNow won't automatically do this. 

The best way to do this is to provide access to a group, and then under the "subscribed groups" related list, add in the group. Personally I do this by having a sys_user_group with a type of 'security' and only allow itil to be granted via it, rather than adding itil to a resolver group 

View solution in original post

9 REPLIES 9

Kieran Anson
Kilo Patron

You need to allocate users to the subscription. ServiceNow won't automatically do this. 

The best way to do this is to provide access to a group, and then under the "subscribed groups" related list, add in the group. Personally I do this by having a sys_user_group with a type of 'security' and only allow itil to be granted via it, rather than adding itil to a resolver group 

Hi Kieran,

thanks a lot for your response 🙂 The issue was that we didn't have these subscribed groups.

But may I ask you if could clarify/elaborate on your last point "Personally I do this by having a sys_user_group with a type of 'security' and only allow itil to be granted via it, rather than adding itil to a resolver group"? 

I commonly see organisations have groups that are used both as assignment groups, and with roles allocated. This becomes complex to manage as members inside that group could require varying levels of permissions. 

 

Organisations are becoming more conscious of least access privilege policies which is hard to do when a single user group record is fulfilling multiple purposes.

 

For me, I like to suggest relying on group types (very under utilised) and separating out group usage. 

 

Security groups - These are used for roles and can be mapped to subscriptions

Process groups - think approval groups

Assignment groups - used as part of a process such as an incident support team.

 

Separating this all out does add an overhead, but reduces the complexity overall. Also aids in managing licensing at a much more granular level. Especially in other product subscriptions where some really powerful roles are classed as a "requestor" role and therefore isn't licensable. 

thanks a ton for sharing your rationale 😁