Flow roles

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Flow roles

    Flow roles in ServiceNow allow you to create flows and subflows that run with specific roles instead of the roles of the user who initiates them. This enables user-initiated flows to execute with designated permissions, improving control and security in automation processes.

    Show full answer Show less

    Role selection and assignment

    • Flows can run either as the system user (with the system role) or as the user who initiates the session.
    • Roles can only be assigned to flows running as the initiating user, not to those running as the system user.
    • You can assign multiple roles to a flow, but selecting new roles replaces the original assigned roles.
    • If no roles are selected, the flow inherits the roles of the initiating user.
    • Only roles accessible to you within the flow’s application scope can be assigned, excluding high-security roles such as admin, securityadmin, and specific application admin roles.

    Modification, copying, and missing roles

    • Users can modify a flow only if they have all the roles assigned to that flow; otherwise, the flow is read-only for them.
    • When a flow is copied, assigned roles are removed, and the copied flow runs with either the system role or the initiating user's roles.
    • If a flow references a role not present on the instance (due to removal or instance migration), the role appears as a sysid, and you cannot save changes until the role is either added back or removed from the flow.

    Execution and subflow roles

    • The roles a flow runs with can be viewed in the flow execution details under the "Run with role(s)" field, visible only for flows running as the initiating user.
    • Flows and subflows run with their own independently assigned roles; subflows do not inherit roles from parent flows.
    • When returning from a subflow to a parent flow, any special roles from the subflow are removed, and the parent flow resumes with its own roles.

    Access control considerations

    Assigning roles to a flow does not automatically grant access to all records or tables. Roles are one factor in Access Control List (ACL) rules. If a flow cannot access expected records, review the relevant ACL rules for tables and fields, as additional conditions may apply.

    Create flows and subflows that run with specific roles. Assigning roles enables you to create user-initiated flows that run with their own roles rather than the user's roles.

    Role selection

    A flow runs as either the system user or as the user who initiates the session. You can only assign roles to flows that run as the user who initiates the session. When the flow runs as the system user, it runs with the system role, and individual role selection isn't available. For more information, see Create a flow in Workflow Studio.

    You can assign multiple roles to a flow. Selecting new roles replaces the flow's original roles. If roles aren't selected, the flow runs with the roles of the user who initiates the session.

    The roles you can select for a flow depend on the roles you have and the application scope of the flow. Assign any roles you that have access to in a particular scope, except high-security roles. You can't assign the following roles to a flow:
    • admin
    • security_admin
    • application-specific admin roles, such as an application admin role for Human Resources.

    Modified and copied flows

    Other users can modify and copy your flow. To modify a flow, a user must have the same roles as the flow. Users missing any of the roles assigned to the flow, sees the flow as read-only.

    When you copy a flow, the assigned roles are removed. The copied flow runs with either the system role or the roles of the user who initiated the session.

    Missing roles

    Sometimes a flow refers to a role that is not on the instance. The missing role may have been removed or may not exist on the instance. Either situation can occur when moving a flow between instances. When a role is unavailable, the Run with role(s) field displays the sys_id of the role instead of its name. While the role is missing, you cannot save changes to the flow. To save flow changes, either remove the role from the flow or add it to the instance.

    Flow roles in execution details

    You can see the "Run with" roles for a flow by viewing the flow execution details. Use the Run As field to determine which user ran the flow. Only flows that ran as the initiating user can have roles assigned. These flows have a Run with role(s) field that displays the roles assigned to the flow.

    Subflow roles

    Flows and subflows each run with their own roles. Subflows don't inherit roles from a parent flow. When flow execution returns to a parent flow from a child flow, any special roles associated with the child flow are removed. The parent continues execution with its own roles.

    Access control lists

    Assigning a role to a flow doesn't guarantee that the flow can access a record or table. While roles are an important part of access control lists (ACLs), they are just one possible condition. If a flow cannot access the records you expect it to, review the record ACL rules for the table and fields. The ACL rules might require additional criteria to grant access. For more information, see access control list rules.