Who add members to Resource Groups?

julianada-s · 3 weeks ago

Hi Friends! 😊

I was wondering so far that Resource Managers could create and add members to the resource groups. But what is happening is that Resource managers can create groups, but can't add members to it. Is it normal behavior to the role? or am I missing something?

Tks!!!

Itallo Brandão · 3 weeks ago

Hi Juliana,

To answer your question directly: Yes, this is normal Out-of-the-Box (OOB) behavior.

By default, the resource_manager role is designed to manage plans, allocations, and capacities, but not the administrative maintenance of the sys_user_group table.

The Reason: Adding a user to a group automatically grants them all the Roles assigned to that group. From a security standpoint, ServiceNow restricts group membership management to user_admin or admin to prevent unauthorized license consumption or access elevation.

However, here is a potential fix based on your screenshot:

I noticed in your screenshot that the Manager field on the group form is Empty.

Many instances have a specific Access Control (ACL) logic that grants "Write" access to the group members if the current user is listed as the Group Manager.

Try this Step:

As an Admin, update the record and set the Manager field to the Resource Manager user.
Impersonate that Resource Manager again.
Check if the "Edit" or "New" buttons appear in the "Group Members" Related List.

If that doesn't work, you have two options:

Delegated Administration (Best Practice): Configure a "Delegated Administration" rule for Resource Managers to manage users within their specific groups.
Custom ACL (Implementation): Create a write/create ACL on the sys_user_grmember table with a condition like: group.manager | is dynamic | Me.

If this response helps clarify the issue, please mark it as Accepted Solution.
This helps the community grow and assists others in finding valid answers faster.

Best regards,
Brandão.

View solution in original post

MadhanMaddy · 3 weeks ago

Hi @julianada-s ,

Could you please verify if the user who's trying to add users to the resource group has resource_manager & safe side check by adding user_admin role & try once.

Ideally this should work. Please let me know if it's still not working I can try and troubleshoot more on this issue.

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards,
Madhan

Itallo Brandão · 3 weeks ago

Hi Juliana,

To answer your question directly: Yes, this is normal Out-of-the-Box (OOB) behavior.

By default, the resource_manager role is designed to manage plans, allocations, and capacities, but not the administrative maintenance of the sys_user_group table.

The Reason: Adding a user to a group automatically grants them all the Roles assigned to that group. From a security standpoint, ServiceNow restricts group membership management to user_admin or admin to prevent unauthorized license consumption or access elevation.

However, here is a potential fix based on your screenshot:

I noticed in your screenshot that the Manager field on the group form is Empty.

Many instances have a specific Access Control (ACL) logic that grants "Write" access to the group members if the current user is listed as the Group Manager.

Try this Step:

As an Admin, update the record and set the Manager field to the Resource Manager user.
Impersonate that Resource Manager again.
Check if the "Edit" or "New" buttons appear in the "Group Members" Related List.

If that doesn't work, you have two options:

Delegated Administration (Best Practice): Configure a "Delegated Administration" rule for Resource Managers to manage users within their specific groups.
Custom ACL (Implementation): Create a write/create ACL on the sys_user_grmember table with a condition like: group.manager | is dynamic | Me.

If this response helps clarify the issue, please mark it as Accepted Solution.
This helps the community grow and assists others in finding valid answers faster.

Best regards,
Brandão.

julianada-s · 3 weeks ago

Obrigada Ítalo!

kimpin533 · 3 weeks ago

By default, the resource_manager role is designed to manage plans, allocations, and capacities, but not the administrative maintenance of the sys_user_group table.

The Reason: Adding a user to a group automatically grants them all the Roles assigned to that group. From a security standpoint, ServiceNow restricts group membership management to user_admin or admin to prevent unauthorized license consumption or access elevation.