User Admin - Unable to remove group from user

Sam Ogden
Tera Guru

‎01-20-2020 04:00 AM

Hi All,

We have given the user_admin role to one of our teams which is responsible for on boarding and off boarding our users.  This is working for most cases, but they have just tried to remove groups for a user from our Service Desk and they are getting this error:

'User is not authorized to perform this action'

This appears to be as the ServiceDesk  group have roles form the CSM module.  I can't find anything in the docs that says that user_admin shouldn't be able to remove these roles.  If i add the 'sn_customerservice_manager' role to the user trying to remove the group it is then working, however this role gives them access to many other roles and modules that they do not require.

Any suggestions on this?

Thanks

Sam

0 Helpfuls
  • 3,085 Views
8 REPLIES 8

Alberto Consonn
ServiceNow Employee
ServiceNow Employee

‎01-20-2020 04:03 AM

Hi,

please check the following official article, it's explaining the reason of your behavior:

https://hi.service-now.com/kb_view.do?sysparm_article=KB0693286

If I have answered your question, please mark my response as correct and/or helpful.

Thank you very much

Cheers
Alberto

0 Helpfuls

Sam Ogden
Tera Guru
In response to Alberto Consonn

‎01-20-2020 04:38 AM

Hi Alberto,

Thanks for the link to the article.  We do not have sn_si* roles in our instance.  I don' think we have security incident response activated.

Due to this should this still be an issue?

How am i best to resolve this?

Thanks

0 Helpfuls

Alberto Consonn
ServiceNow Employee
ServiceNow Employee
In response to Sam Ogden

‎01-20-2020 05:11 AM

You can only use sn_si* role or admin role for doing this, I don't see an alternative.

0 Helpfuls

Sam Ogden
Tera Guru
In response to Alberto Consonn

‎01-20-2020 05:22 AM

Hi Alberto,

I have looked over, we don't have the security response plugin activated.  The issue we are having is with roles from CSM.  I can't see where in the knowledge article this is referenced as it only seems to be for security incident response?

We just want people with user_admin to have the ability to remove people from groups when they leave.  I don't want to give them 'sn_customerservice_manager' role due it giving them access to applications that they don't require - this seems overkill?

The docs just mention that user_admin can add/remove users from groups with no further caveats ?

0 Helpfuls