Control user access to application services

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read

    • Assign user roles to service groups to grant users access to application services in your organization. Your organization may restrict access to some services for security or secrecy reasons.

    Before you begin

    Make sure that you have performed the user provisioning tasks for the users you want to grant access:
    1. Add users to user groups.
    2. Create new roles.
    3. Assign roles to users or user groups.

    Also, make sure that you have created service groups as described in Group application services.

    Role required: app_service_admin or service_mapping_admin

    About this task

    In the base system, the following roles provide access to application services:
    app_service_admin

    Creates and modifies service instances, creates service groups, views, and edits service instance maps.

    app_service_user

    Views maps for operational service instances and retrieves service content using the getContent - GET REST API. The itil role that serves as the basic helpdesk technician role contains the app_service_user role.

    Service Mapping provides these preconfigured roles:
    service_mapping_admin

    Sets up the Service Mapping application. Maps, fixes, and maintains service instances. Also performs advanced configuration and customization of the product. Assign this role to application administrators.

    service_mapping_user

    Views maps for operational service instances to plan change or migration, as well as analyze the continuity and availability of services. Assign this role to application users.

    sm_app_owner

    Provides information necessary for successful mapping of a service instance. Once a service is mapped, this user reviews the results and either approves it or suggests changes. Assign the sm_app_owner role to users who own service instances and are familiar with the infrastructure and applications that make up the services.

    Note:
    Users with the sn_cmdb_editor or itil role only can view all service instances.

    Event Management provides these preconfigured roles:

    evt_mgmt_admin
    Has read and write access to all Event Management features to configure Event Management.
    evt_mgmt_operator
    In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, and run remediations.
    evt_mgmt_user
    Has read access to all Event Management features. Has write access to alerts to manage the alert life. Has the itil role to be able to manage incidents that are created from alerts.
    evt_mgmt_integration
    Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.

    Typically, enterprises have hundreds of services which makes it impractical to manage them individually. Service groups can make service lists much shorter and easier to manage, especially in large organizations or service providers. In a hierarchy of service groups, access to a parent service group automatically grants access to all the child service groups.

    Users inherit permissions from roles that are assigned to them. You can assign some roles directly to service groups to allow all users with this role to access all application services belonging to this group. However, most enterprises choose to organize their roles as a hierarchy. It helps to manage roles across multiple ServiceNow applications. For example, the Service Mapping administrator [service_mapping_admin] can be part of a broader administrator role like administrator [admin]. You can add users to user groups and then assign roles to the user groups to give permissions of this role simultaneously to all the group users.
    Figure 1. Assigning a role to an application service group

    Assigning a role to an service instance group for user access

    By default, all new services are assigned to the All service group that lets all users view and manage service instances. When you assign a role to a service group, the users with this role can access service instances in this service group and in the All service group. To enable users with this role to access other services, assign this role to the respective service group. Do not assign user roles directly to the All service group.

    Procedure

    1. Navigate to either of the following:
      • Configuration > Application Services > Service Group Responsibilities.
      • If Service Mapping is activated: Service Mapping > Services > Service Group Responsibilities.
      • If Event Management is activated: Event Management > Services > Service Group Responsibilities.
    2. Click New and fill out the Application Service Group Responsibilities form.
      Field Description
      Application Service Group Service group to which you want to assign a role.
      Role

      Role you want to assign to the selected service group.

      For example, financial_services_admin.
    3. Click Submit.

    Example

    To manage access to services that contain sensitive financial information in your organization:
    1. Organize the services into the Financial Services group.
    2. Create a new user role, financial services administrator [financial_services_admin] role, that contains the [app_service_admin] role.
    3. Assign the Financial Services administrator role to the Financial Services group.
    As a result, only users with the Financial Services administrator role can access application services belonging to the Financial Services group.