Managing Groups and Roles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2017 09:51 AM
We are going to be migrating from HP Service Manager to ServiceNow (Jakarta). I'm looking for some advice on how to set up user roles and groups.
We currently have access controlled in Active Directory using 12 user roles (Standard User, Change Mgr, read only, etc) and every user (Operator record) is assigned to a role. User are then part of Assignment Group (we currently have 875 Assignment Groups). Mangers of the group maintain group membership. Users can be members of multiple Assignment Groups. We have approx. 9000 licensed users, this does not include Self Service user.
Because of licensing constraints, we need to keep a tight control on who has access to ServiceNow.
From my understanding of the training and videos, ServiceNow recommends assigning roles to groups and add users to the groups. So, I think, a manager could add anyone to a group and thus have access to ServiceNow without our knowledge as it would be done in Active Directory. We don't want to place an undo burden on our Security group to create and maintain Assignment Groups (nor should they)
Is there a better way to set this up or am I misunderstanding how this will work? Did you set it up and realize you would have done things differently? Any advice or things to avoid?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2017 12:59 PM
Hello,
We had similar requirement in our organization.
We have done automation for adding users to group.
If user need to have any role ( itil, asset ...), they need to complete trainings.
We run daily scheduled job to pull training records from external DB in service now.
Also, we have built catalog item with approvals and workflow so that group managers need to verify access before approval.
After approval is completed, workflow run script is adding user to group.
Also, we implemented license tracking application which removes role from users who doesn't log to instance in last 90 days.
Regards,
Sachin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-12-2017 01:17 PM
Hi Jodi,
You can control the group memberships using Active Directory if you have LDAP set up, it will just take a bit of scripting to make sure that the users are added/removed when their memberof attribute changes within LDAP (it may also be worth making sure that the users are disabled in ServiceNow as soon as they are disabled within Active Directory to keep licenses down).
You can also run a scheduled report on new items added to the 'sys_user_has_role' table and have it emailed to you daily, this will allow you to see any users who have been provided roles on that day.
Kind Regards
