ITIL Role Getting Removed at User Level When Removing One Group – Despite Other Group Still
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hi Team,
We are facing an issue in ServiceNow PROD instance related to ITIL role inheritance.
Scenario:
A user is part of multiple groups.
More than one group grants ITIL role .
When we remove the user from one of the groups, ITIL role is getting removed at the user level.
Ideally, the role should remain since another group still grants ITIL role.
Observation:
This issue is happening only in PROD.
It is NOT reproducible in Non-Prod instances.
Key Differences in PROD:
LDAP integration configured via MID Server
SAML SSO enabled
Group memberships are synced from Active Directory
We also noticed logs like:
SAML login entries syslog.source = SAML2
But no clear indication yet of what removes the role
Expectation:
Role inheritance should persist as long as at least one group provides the ITIL role.
What we have checked so far:
Verified that another group still has ITIL role assigned
No manual role removal
Issue seems to happen during group removal or sync
Questions:
Where exactly does ServiceNow decide to remove a role from sys_user_has_role group membership changes?
Can LDAP sync or Transform Maps temporarily remove group membership and trigger role deletion?
Are there any known scenarios where SAML login or user provisioning can reset roles?
What logs or tables should we monitor to identify the exact trigger for role removal?
Additional Info Needed:
Best way to trace role deletion (audit/logs)
Any known conflicts between LDAP + SAML + role inheritance
Any guidance or similar experiences would be really helpful.
Thanks in advance!
