ITIL Role Getting Removed at User Level When Removing One Group – Despite Other Group Still

VenkatSD
Giga Contributor

3 weeks ago

 

Hi Team,

We are facing an issue in ServiceNow PROD instance related to ITIL role inheritance.

Scenario:

  • A user is part of multiple groups.

  • More than one group grants ITIL role .

  • When we remove the user from one of the groups, ITIL role is getting removed at the user level.

  • Ideally, the role should remain since another group still grants ITIL role.

Observation:

  • This issue is happening only in PROD.

  • It is NOT reproducible in Non-Prod instances.

Key Differences in PROD:

  • LDAP integration configured via MID Server

  • SAML SSO enabled

  • Group memberships are synced from Active Directory

We also noticed logs like:

  • SAML login entries syslog.source = SAML2

  • But no clear indication yet of what removes the role

Expectation:

  • Role inheritance should persist as long as at least one group provides the ITIL role.

What we have checked so far:

  • Verified that another group still has ITIL role assigned

  • No manual role removal

  • Issue seems to happen during group removal or sync

Questions:

  1. Where exactly does ServiceNow decide to remove a role from  sys_user_has_role group membership changes?

  2. Can LDAP sync or Transform Maps temporarily remove group membership and trigger role deletion?

  3. Are there any known scenarios where SAML login or user provisioning can reset roles?

  4. What logs or tables should we monitor to identify the exact trigger for role removal?

Additional Info Needed:

  • Best way to trace role deletion (audit/logs)

  • Any known conflicts between LDAP + SAML + role inheritance

Any guidance or similar experiences would be really helpful.

Thanks in advance!

0 Helpfuls
  • 348 Views
1 REPLY 1

ayushraj7012933
Mega Guru

3 weeks ago

Hi,

In OOTB behavior, the ITIL role should NOT be removed if the user still belongs to another group that grants it. Since this is happening only in PROD, the issue is very likely due to LDAP sync, transform logic, or customizations.

Step-by-Step Troubleshooting Guide

 Step 1: Enable Auditing

  • Go to System Definition → Tables

  • Open:

    • sys_user_has_role

    • sys_user_grmember

  • Enable Audit = true

This helps track who/what is removing the role

Step 2: Identify When Role is Removed

  • Open affected User record

  • Go to Related List → Roles

  • Click on ITIL role → View Audit History

Check:

  • Updated by (system / import / user)

  • Timestamp

 Step 3: Check Group Membership Changes

  • Navigate to sys_user_grmember

  • Filter for the affected user

Verify:

  • Is the user temporarily removed from all groups during sync?

 Step 4: Review LDAP Transform Maps

  • Go to System Import Sets → Transform Maps

  • Identify LDAP-related maps

  • Check:

  • Coalesce settings

  • Any script that:

    • Deletes existing group memberships

    • Re-inserts them

This is a common root cause

Step 5: Check Scheduled Jobs

  • Go to System Definition → Scheduled Jobs

  • Look for:

    • LDAP User Import

    • Group Sync jobs

Match job run time with role removal time

Step 6: Check for Custom Logic

  • Review:

    • Business Rules on:

      • sys_user_grmember

      • sys_user_has_role

    • Flow Designer flows

Many PROD-only scripts remove/recalculate roles

Step 7: Validate SAML / JIT

  • Go to SAML settings

  • Check if JIT provisioning is enabled

 It may update user/group data during login

0 Helpfuls