User Admin - Unable to remove group from user

Sam Ogden
Tera Guru

‎01-20-2020 04:00 AM

Hi All,

We have given the user_admin role to one of our teams which is responsible for on boarding and off boarding our users.  This is working for most cases, but they have just tried to remove groups for a user from our Service Desk and they are getting this error:

'User is not authorized to perform this action'

This appears to be as the ServiceDesk  group have roles form the CSM module.  I can't find anything in the docs that says that user_admin shouldn't be able to remove these roles.  If i add the 'sn_customerservice_manager' role to the user trying to remove the group it is then working, however this role gives them access to many other roles and modules that they do not require.

Any suggestions on this?

Thanks

Sam

0 Helpfuls
  • 3,122 Views
8 REPLIES 8

Alberto Consonn
ServiceNow Employee
ServiceNow Employee
In response to Sam Ogden

‎01-20-2020 05:34 AM

Yes, this is NOT possible.

As said already, the reason is well explained to the official ServiceNow article:

https://hi.service-now.com/kb_view.do?sysparm_article=KB0693286

IMPORTANT: If I have answered your question, please mark my response as correct and/or helpful.

Thank you very much

Cheers
Alberto

0 Helpfuls

Sam Ogden
Tera Guru
In response to Alberto Consonn

‎01-20-2020 05:38 AM

But the workaround section of the KB article only seems to mention security incident response scope:

This is expected behaviour, due to the enhanced security introduced in Jakarta. Only scope admins with sn_si.admin role will be able to edit user/role/group within the security incident response scope.

So as we don't have this scope with us not having this plugin activated I don't get how this is the issue?

Apologies if I'm seeming dumb, but the article is referring the plugin we don't have.  Without this plugin I can't assign the role 'sn_si.admin' as it is not available to us?

0 Helpfuls

Daniel O_Connor
Kilo Guru

‎01-20-2020 04:06 AM

I sometimes find I cannot edit groups/roles on a user if they have an admin type role. I need to elevate my security on my admin account, which then lets me remove users from groups that contain admin/security type roles

0 Helpfuls

Harsh Vardhan
Giga Patron

‎01-20-2020 04:09 AM

did you check any acl has been created or modified on your "sys_user_grmember" table ?

ootb user_admin role can manage it. 

0 Helpfuls