User hierarchy
Summarize
Summary of User hierarchy
The user hierarchy feature in ServiceNow allows managers to view records and work performed by users who report to them, based on the relationships configured in thesysusertable. This hierarchy is especially relevant in Governance, Risk, and Compliance (GRC) modules, where visibility into subordinate activities is crucial for oversight and reporting.
Show less
For example, if users Abel and Jack report to Adam, and Adam reports to Daniel, Adam can see Abel’s and Jack’s records, while Daniel can see records for all three. This structure extends across organizational roles such as sales managers, VPs, and the CEO, enabling layered data visibility aligned with managerial roles.
Enabling and Configuring User Hierarchy
- Enable User Hierarchy Access Control: A GRC administrator must activate this property in the GRC properties module to turn on user hierarchy functionality. It is off by default.
- Frequency of Recalculation: The user hierarchy data is recalculated on a schedule, defaulting to weekly, but can be changed to daily or monthly to suit organizational needs.
- Maximum Batch Size for Recalculation: Defines how many records are processed in one batch during recalculation, with a default of 1000, adjustable for performance tuning.
These properties ensure the user hierarchy data remains current and aligned with organizational changes.
Supporting Tables and Roles
- sngrchierarchy: Stores the user hierarchy relationships.
- sngrcuserhierarchy: Displays users, their managerial hierarchy, and synchronization details. Accessible only to users with the sngrc.userhierarchyreader role; records here cannot be manually altered.
- sngrcuserhierarchyconfiguration: Contains configuration records for each table where user hierarchy access control is enabled. GRC administrators and users with the sngrc.userhierarchyadmin role can manage these records.
User Hierarchy Configuration Module and Access Control
Once enabled, the User Hierarchy Configuration module appears, listing tables with user hierarchy enabled. Administrators can create configuration records here to specify which tables support user hierarchy access, thus allowing managers to view relevant records of their direct reports.
Access Control Lists (ACLs) govern permissions, with default ACLs provided in the GRC application. Administrators can customize ACLs and define filter conditions to enforce user hierarchy access control on custom tables, ensuring security and appropriate data visibility.
Practical Application for ServiceNow Customers
By enabling and properly configuring user hierarchy, ServiceNow customers in GRC environments can:
- Ensure managers have visibility into the activities and records of their direct and indirect reports.
- Maintain up-to-date hierarchical data through scheduled recalculations, supporting accurate reporting and compliance monitoring.
- Control and customize access through role assignments and ACLs to meet organizational security requirements.
- Extend user hierarchy access control to custom tables, enhancing flexibility and governance.
This functionality facilitates efficient organizational oversight, promotes accountability, and supports regulatory and internal compliance efforts.
With a user hierarchy, your managers can see the records of those users who report to them.
The user hierarchy is based on the configuration in the sys_user table. The user hierarchy is stored separately for the GRC tables.
To understand how a user hierarchy works, let's look at the following example. Users Abel and Jack report to Adam. Adam reports to Daniel. With a user hierarchy, Adam can view the work performed by Abel and Jack. Similarly, Daniel can view the work performed by Adam, Abel, and Jack.
In this example, the sales manager can see the data that the sales team has submitted. The VP of sales can see the data or reports that are submitted by the sales managers and the sales team.
The VP of service can see the data that is submitted by the service managers and the support team. The CEO of the organization can see the work performed by both sales and service teams.
Enabling the properties for the user hierarchy functionality
| Property | Action |
|---|---|
| Enable user hierarchy access control |
Enable the user hierarchy functionality by selecting the Yes option on the Enable user hierarchy access control property. This property is turned off by default. After you enable this property, you can also turn it off again. |
| Frequency of user hierarchy recalculation |
Use the Frequency of user hierarchy recalculation property to calculate the user hierarchy for all the records in the sn_grc_user_hierarchy_configuration table. The property is set to Weekly by default. To calculate the user hierarchy for the records at different intervals, select sn_grc.user_hierarchy_sync_frequency and change the schedule from Weekly to Daily or Monthly. |
| Maximum batch size while recalculating hierarchy for user hierarchy records |
Use the Maximum batch size while recalculating hierarchy for user hierarchy records property to process the records in a maximum batch size so that you can recalculate the user hierarchy of the records. This property is set to 1000 by default. To recalculate the user hierarchy of the records, select the property and update the maximum batch size to an integer value. |
Tables that are used to support the user hierarchy functionality
| Table | Description |
|---|---|
| sn_grc_hierarchy | Table that maintains the hierarchy of the users. |
| sn_grc_user_hierarchy | Table that displays the name of the user, the managerial hierarchy, and the last synchronized details. As a user with the sn_grc.user_hierarchy_reader role, you can read the records in this table. No other user can manually create, update, or delete the records in this table. |
| sn_grc_user_hierarchy_configuration | Table that contains a separate record for each table where the user hierarchy access control is enabled. As a GRC administrator, you can manually create and delete the records in this table. As a user with the sn_grc.user_hierarchy_admin role, you can also read or update the records in this table. |
User hierarchy configurations module
The User hierarchy configuration module is displayed in your instance only after you enable the user hierarchy properties. The User hierarchy configuration module, which is shown in the following example, lists the tables on which you have enabled the user hierarchy functionality.
Access control lists (ACLs): By default, a few access control lists are shipped with the GRC application, and they are stored in the sys_security_acl table. You can define a filter condition to check if the user hierarchy access control is enabled. You can create your own access control lists depending on your configuration and requirements.