Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Practical limit to group size for assigning role

Go to solution
Michael Searle
Tera Guru

‎08-28-2024 09:03 AM

I'm running into some issues with role assignment (add and remove) via a group where the group membership exceeds thirty-thousand members. 

I want to know whether you have experience or knowledge relating to this. Is there a practical size limit for groups that assign roles? Is there a best practice for keeping group membership size below a certain threshold? If you have encountered this issue, how did you divide group membership to overcome it?

Thank you.

0 Helpfuls
  • 1,062 Views
1 ACCEPTED SOLUTION

Go to solution
Brian Lancaster
Kilo Patron
In response to Michael Searle

‎08-28-2024 02:02 PM

In this case I would assign the role directly to the user. You could do it going forward with a business rule or a flow on account insert. You could make the updates for existing users via script background. Why snc_external, are all your users external to your company?

View solution in original post

5 REPLIES 5

Go to solution
Brian Lancaster
Kilo Patron

‎08-28-2024 09:33 AM

No idea but I have also never head of a group with that many members. Why do you have such a large group and what role are they getting?

Go to solution
Michael Searle
Tera Guru

‎08-28-2024 09:42 AM

Hi Brian, thank you for your reply.

Following the best practice of assigning roles through groups, I created a group that contains almost all the users in our sys_user table and assigns the snc_external role.

I'm wondering whether that was the best way to handle it. Or should I just assign that base-level role directly to users?

0 Helpfuls

Go to solution
Brian Lancaster
Kilo Patron
In response to Michael Searle

‎08-28-2024 02:02 PM

In this case I would assign the role directly to the user. You could do it going forward with a business rule or a flow on account insert. You could make the updates for existing users via script background. Why snc_external, are all your users external to your company?

Go to solution
Michael Searle
Tera Guru

‎08-28-2024 03:09 PM

I treat most of my users as external.

I administer ServiceNow at a small community college. (I started in 2020 not knowing anything about ServiceNow. Everything I've learned has been on the job, much by trial and error). Less than two-thousand of the users in my sys_user table are employees. I give most of them the snc_internal role which I assign via a group that contains all employees. The rest of the users in my sys_user table are students - more than 33 thousand of them - prospective, current, and former students. I give them the snc_external role to severely limit their ability to do anything beyond basic use of a service portal.

I knew that creative manipulation of the URL can get a person to a list view, page, or something else that they didn't directly link to. When I was trying to decide which role would be most appropriate for students I tested URL manipulation starting at a service portal page and modifying the url to go to the sys_user table. I found that the snc_internal role allowed read access to the sys_user list view and some record values. Snc_external didn't allow that access. That is why I decided to use it for student users.

At least that was my reasoning/logic 2-3 years ago when I implemented that solution. 

Thank you for all your assistance! If you have other suggestions/ideas I'm open to them.

0 Helpfuls