Flow roles

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Flow roles Build workflows > Flow Designer > Flow roles

    This content outlines how to create and manage flow roles within ServiceNow's Flow Designer. By assigning roles to flows and subflows, users can control execution permissions, allowing flows to run with specific roles rather than just the user's roles. This enhances the flexibility and security of automated workflows.

    Show full answer Show less

    Key Features

    • Role Selection: Flows can run as either the system user or the user initiating the session. Roles can only be assigned when the flow runs as the initiating user.
    • Multiple Role Assignment: You can assign multiple roles to a flow, with new selections replacing any existing roles. Flows default to the user’s roles if none are assigned.
    • Modification and Copying: Other users can modify or copy flows, but they require the same roles as the original. Copies lose assigned roles and revert to system or initiating user roles.
    • Handling Missing Roles: Flows may reference roles that are not present in the instance. If a role is missing, it will display the sysid instead of the name, preventing changes until the role is addressed.
    • Execution Details: The "Run with" roles are visible in flow execution details, indicating the roles assigned to flows running as the initiating user.
    • Subflow Roles: Subflows operate independently with their own roles and do not inherit roles from parent flows.
    • Access Control Lists (ACLs): Role assignment does not guarantee access to records. Review ACL rules for any additional criteria required for record access.

    Key Outcomes

    By effectively managing flow roles, ServiceNow customers can ensure that their workflows execute with the appropriate permissions, enhancing security and functionality. Understanding role assignments and limitations allows for better control over workflow behaviors and access to records, ultimately improving operational efficiency within the platform.

    Create flows and subflows that run with specific roles. Assigning roles enables you to create user-initiated flows that run with their own roles rather than the user's roles.

    Role selection

    A flow runs as either the system user or as the user who initiates the session. You can only assign roles to flows that run as the user who initiates the session. When the flow runs as the system user, it runs with the system role, and individual role selection isn't available. For more information, see Create a flow.

    You can assign multiple roles to a flow. Selecting new roles replaces the flow's original roles. If roles aren't selected, the flow runs with the roles of the user who initiates the session.

    The roles you can select for a flow depend on the roles you have and the application scope of the flow. Assign any roles you that have access to in a particular scope, except high-security roles. You can't assign the following roles to a flow:
    • admin
    • security_admin
    • application-specific admin roles, such as an application admin role for Human Resources.

    Modified and copied flows

    Other users can modify and copy your flow. To modify a flow, a user must have the same roles as the flow. Users missing any of the roles assigned to the flow, sees the flow as read-only.

    When you copy a flow, the assigned roles are removed. The copied flow runs with either the system role or the roles of the user who initiated the session.

    Missing roles

    Sometimes a flow refers to a role that is not on the instance. The missing role may have been removed or may not exist on the instance. Either situation can occur when moving a flow between instances. When a role is unavailable, the Run with role(s) field displays the sys_id of the role instead of its name. While the role is missing, you cannot save changes to the flow. To save flow changes, either remove the role from the flow or add it to the instance.

    Flow roles in execution details

    You can see the "Run with" roles for a flow by viewing the flow execution details. Use the Run As field to determine which user ran the flow. Only flows that ran as the initiating user can have roles assigned. These flows have a Run with role(s) field that displays the roles assigned to the flow.

    Subflow roles

    Flows and subflows each run with their own roles. Subflows don't inherit roles from a parent flow. When flow execution returns to a parent flow from a child flow, any special roles associated with the child flow are removed. The parent continues execution with its own roles.

    Access control lists

    Assigning a role to a flow doesn't guarantee that the flow can access a record or table. While roles are an important part of access control lists (ACLs), they are just one possible condition. If a flow cannot access the records you expect it to, review the record ACL rules for the table and fields. The ACL rules might require additional criteria to grant access. For more information, see access control list rules.