User metrics
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of User metrics
User metrics in ServiceNow provide insights into user activity and security-related behaviors within your instance. These metrics help you identify anomalous or potentially risky user actions, monitor user engagement, and manage access control by analyzing login patterns, privilege assignments, and security events.
Show less
Key Metrics and Their Practical Use
- Not Logged In (Last Month / Last Six Months / Last Year): Displays users who have not logged in during these periods, helping you identify inactive accounts for potential cleanup or review. You can drill down to user details by clicking the metric.
- Users with High Privilege Roles: Shows counts and details of users assigned critical administrative roles such as admin, aishighsecurityadmin, passwordresetadmin, scriptincludeadmin, securityadmin, and useradmin. This enables you to verify that sensitive roles are properly assigned to authorized personnel.
- Users Trend: Tracks active, inactive, and locked-out users over time. Drilling into locked-out users helps you investigate causes and resolve access issues.
- Events Trend: Monitors daily counts of key security-related events including admin logins, external logins (support or audit access), failed login attempts, impersonations, security elevations, and Customer Service and Support (SNC) logins. This helps detect unusual activity and strengthen security oversight.
How to Use These Metrics
Click on any user count or event metric to view detailed user lists associated with that metric. From there, select individual users to examine their details and activity history. This functionality supports proactive security management and user lifecycle administration, ensuring your ServiceNow instance remains secure and compliant.
Analyze user metrics to look for anomalous behaviors that are related to specific types of user activity in your instance.
Not Logged in Last Month / Last Six Months / Last Year
Indicates the number of users who have not logged into the instance within the last month,
within the last six months, and within the last calendar year. To view user detail for a
specific metric:
- Click the metric to view a listing of users that have not logged in to the instance during the indicated time period.
- Click a user name to view more details about that user.
Users with High Privilege Roles
Indicates the number of users with the following high privilege role types:
| User role | Description |
|---|---|
| admin | Primary administrator role that has access to all system features, functions, and data, regardless of security constraints. |
| ais_high_security_admin | Elevated privilege role that enables a user to access High Security settings for AI Search. To learn more, see Assign roles to AI Search administrators and users. |
| password_reset_admin | Administrator role that enables a user to view the status of password reset activities, identify potential security threats, and monitor for compliance with password security policies. To learn more, see Password Reset and Password Change reports and logs. |
| script_include_admin | Administrator role that also has access to script includes. |
| security_admin | Elevated privilege role that enables a user to create and change access controls and High Security Settings. To learn more, see Security_admin role |
| user_admin | Administrator role that can also manage users, roles, user groups, roles, and department assignments. |
Note:
To learn more about these administrative role types, see Special administrative
roles.
To view user detail for a specific user role metric:
- Click the user count role metric to view a listing of users with that high privilege role type.
- Click a user name to view more details about that user. You can then determine if these security-critical roles are assigned to the proper personnel.
Users Trend
Shows count trend information over a time period for the following types of users:
| Count type | Description |
|---|---|
| Active Users | Number of users who are marked as Active in the instance. |
| Inactive Users | Number of users who are marked as Inactive in the instance. |
| Locked Out | Number of users who are locked out of the instance. |
To view user detail for a specific user count (for example, Locked Out Users):
- Click the Locked out users metric.
- In the Analytics Hub page, click Show Records.
- Click a user name to view more details about that user. You can then determine if there is a reason this person is locked out and remedy the situation.
Events Trend
Shows count trend information for specific types of events, over a time period:
| Event type | Description |
|---|---|
| Admin login | Number of users with high privilege administrator user roles who logged in on a specific day. |
| External login | Number of users with an assigned snc_external role who logged into this instance during the calendar day. These logins typically occur for maintenance, support, consulting, or audit purposes. Monitoring this metric enables you to verify that the external login attempts are legitimate and not potential security issues. |
| Failed login | Number of failed login attempts on a specific day. |
| Impersonation | Number of users logged in on a specific day who are impersonating other users. |
| Security elevation | Number of times that a security administrator has elevated security for standard users by changing their assigned user role to a high privilege security role during the calendar day. These high privilege security roles include oauth_admin, admin, security_admin, and impersonator. |
| SNC login | Number of Customer Service and Support who logged in to this instance using the hi-hopping technique during a specific day. |
To view user detail for a specific event count (for example, Impersonation):
- Click the user count metric. The Security Dashboard Event Logs page lists event logs for that type of event.
- Click a user name to view more details about that event.