servicenow assignment group name character limit

Allow Group Managers to Manage Group Members

I often get the request to set up access for group managers to be able to manage the members of their groups in ServiceNow. This configuration isn’t too difficult to set up but it does involve a few different pieces. It’s also important to consider your group setup in your system before allowing access in this way. If you are bringing in group memberships from a data source like LDAP for example, the last thing you want is to have your managers manually changing those group memberships within ServiceNow. The configuration shown below could be easily customized to allow access only to non-LDAP groups if you needed to do both however.

That should do it! You may also want to create a ‘Groups’ module that is available for the role that your group managers have. This will allow your group managers easy access to the groups in the system (and with a filter access to the groups that they manage).

Mark Stanger

Date Posted:

August 9, 2010

Share This:

32 Comments

I tried to add this functionality to our instance, but I’m seeing a syntax error when I add the scripts to the ACL and the Edit condition.

Problem at line 5 character 1: Expected an assignment or function call and instead saw an expression.

That’s a syntax checker issue. The record should still save though. You should also be able to get it to work (without the syntax error) by removing the last line of the script. I’ve modified the scripts above to reflect this change.

Nice, elegant solution and easy to implement. Thanks for another great tip, Mark!

Thanks for using it! It’s a lot more fun when I know that people have found a use for a solution. :)

I’ve tried to implement this in the demo site but it’s not working. Has there been any updates since Dec 2010 to make this work?

This works fine for me when I set it up on demo. Make sure you edit the existing write, delete, and create ACLs for the ‘sys_user_grmember’ table. If you follow the instructions it should work just fine.

This was awesome and works great, thanks!

I also stole this and modified it so that group members can modify information in their own group; however, I would like to restrict their access to being able to modify just two custom fields without having to create an ACL for each field. Any suggestions?

var answer = true; //Restrict access by default if(gs.hasRole(‘user_admin’) || (gs.getUser().isMemberOf(current.assignment_group))){ answer = false; //Allow access if user has ‘user_admin’ role or is a member of the current group }

You’ll probably need at least 3 total ACLs then. You’ll need one ‘sys_user_group.*’ field level ACL that locks down write permissions to the entire record – probably to everybody but admins or something. Then you could use a script like you’ve got above in a couple of field level ACLs for just those fields that you want to open up.

Finally figured out what I was doing wrong, incase someone else wants to do this. Mark is correct about needing an ACL to give write only permission by default to admin, and an ACL for each field that needs write access, or just one .* ACL if you want group members to be able to write to all fields in the group. My problem was with the script in my previous post. The correct script is as follows:

var answer = false; //Restrict access by default if(gs.getUser().isMemberOf(sys_user_group.name)){ answer = true; //Allow access if user has ‘admin’ role or is a member of the current group }

Thanks so much for these instructions – this is working great for us!. I have just 1 question in regards to your very last statement about creating a ‘Groups’ module to make it easy for managers to get to their groups. You recommend making that module available to whatever roles our managers have. In our case, managers do not have a special role…they share a role with all other IT users (similar to the itil role). Is there a way to hide/display this module in the application navigator based on whether or not they are a group manager….basically, using the same script as we’re using in the ACL’s?

var answer = false; //Restrict access by default if(gs.hasRole(‘user_admin’) || current.group.manager == gs.getUserID()){ answer = true; //Allow access if user has ‘user_admin’ role or is group manager }

thanks, Kari

Good question, and I’m glad you’re liking the solution. Unfortunately, modules can only be restricted by role. You’ll need to give your managers a separate role in order to show the module to them, but not to regular users.

Would it not be possible to restrict access to the modules through the use of a query rule, much the same was as it can be used to restrict access to applications via query. I have this running on some of our customer instances, but havent tested it on the actual modules.

Thanks Shaun

You’re correct that it’s technically possible, but the problem is that none of the structure is there to restrict access on a per-module basis based on anything but a role. The before query business rule restricts access to modules, but it doesn’t have anything to say which module to restrict access to. If you did use a before query business rule you would need to build out some additional fields, or add a bunch of clunky conditions to check the titles of the modules you wanted to restrict in a certain way. If users already have one role, then it’s usually much easier to just grant them one additional role and be done with it.

Hi Mark, I have tested this on demo.But,the user having no user_admin role can’t see the groups.So,will u please help me to sort out this issue.

Thanks Anoop

The article assumes that the managers have the ‘itil’ role. I’ve just tested this out on demo22 with ‘ITIL User’ and it works correctly. You can review the setup in that instance to get a working config.

Is there a way to modify the code, so that it looks if you are the manager of the group or a member of the group?

Sure. Take a look at the ‘isMemberOf’ method here… https://servicenowguru.com/scripting/user-object-cheat-sheet/

The general syntax in an ACL would probably be something like this…

I tried using this in my ACL script, but it is returning FALSE always even though user belongs to the group. I am trying to impersonate the user and I see this value always returning FALSE.

Thank you so much! Now our managers can modify their own group memberships!

We’ve noticed in our instance, that while users are able to add users, when they attempt to remove and save the action. Nothing changes….is that a bug?

Probably just a mis-configuration. If you can’t remove the users from the group it probably means that your delete ACL on the ‘sys_user_grmember’ table isn’t allowing access.

Mark is right – I had to add that into my ACL because I was having the same issue. Works like a charm and adding in a “My Groups” module with a filter for only stuff of which that person’s the manager is going to be so helpful!

Thanks for a beautiful solution. I tried this and created 3 ACL create, write and delete. As you suggested the script for write and delete is the same. I am trying to make the users of the groups to be able to add/delete members.

When I do edit, I am able to add but when trying to remove from the slushbucket, nothing is happening.

Can you suggest why?

Thank you. The only thing I can think of is that you’ve got some other Delete ACL on the ‘sys_user_grmember’ table that is preventing the delete. You can debug ACLs to help identify which one might be causing the problem.

I am noticing that the manager can add and remove groups from any user form. Is there a simple way to restrict using the New and Edit buttons on the related Groups tab on the User form?

I asked before taking the time to look into it. I personalized the list control on the User record for related Groups and added the role user_admin to both New roles and Edit roles. That appears to do what I want. Otherwise the manager (and presumable other itil users) could do strange things like create a new group (with all empty fields) and associate it to the user. Or even worse, they could add and remove the user to and from any other group.

Thanks for this excellent solution. Now I won’t have to be the full-time Assignment Group editor.

Thank you Shawn,

I have discovered the same. Horrible when roles are assigned to groups :-).

Could you please write on this wich version it applies to, I think it works a bit different on Eureka.

Thanks, Annette

Should work on any ServiceNow version without issue.

On the Omit Edit Condition, in Fuji release, I had to create a function around this process otherwise it was I was unable to save the form. Unfortunately, it’s still showing the edit button on every group.

function checkgroupmgr(){ var answer = true; if(gs.hasRole(‘user_admin’) || parent.manager == gs.getUserID()){ answer = false; } return answer; }

checkgroupmgr();

suggestions?

Thanks, — Adam

I’m not sure why it’s not working in your instance but I’ve never seen an issue with this and I’ve got it running in our Crossfuze production instance successfully right now. No function required and the script exactly as shown.

Comments are closed.

• Using Import Sets for REST Integration in ServiceNow August 26th, 2024

Achim says:

Jacob Kimball says:

• Announcements
• Architecture
• Business rules
• Client scripts
• Content management
• Email Notifications
• General knowledge
• Generative AI
• Graphical workflow
• Integration
• Knowledge Management
• Miscellaneous
• Performance
• Relationships
• Script includes
• Service Portal
• Single Sign-on
• System Definition
• Web Services

Related Posts

Easily Move Customer Updates Between Update Sets

Condition Builder Attributes That Pack a Punch

Demystifying Cryptography in ServiceNow: A Comprehensive Guide to Secure Data Transmission

Fresh content direct to your inbox.

Just add your email and hit subscribe to stay informed.

Since 2009, ServiceNow Guru has been THE go-to source of ServiceNow technical content and knowledge for all ServiceNow professionals.

• Using Import Sets for REST Integration in ServiceNow
• Customize the Virtual Agent Chat Button in Service Portal
• Leveraging Joins in GlideRecord Queries

© Copyright 2009 – 2024 | All Rights Reserved

Create Favorite

• IT Professional Services
• IT Service Management

Cancel changes

Discard all changes?

Unsubscribe

In order to unsubscribe from this article, you will need to unsubscribe from the parent Knowledge Base: Public Knowledge.

Would you like to unsubscribe from Public Knowledge ?

ServiceNow Group Naming Convention

2.0 - Updated on 2023-09-13 by Michael Mears

1.0  - Authored on 2023-05-24 by Michael Mears

In ServiceNow, groups are used to organize users and control access to resources. Choosing a consistent and clear naming convention for your groups can help improve visibility, simplify administration, and make it easier for help desks to find the right assignment groups. In this article, we'll provide some best practices for group naming conventions as well as what group types are used at NC State.

Naming Convention Guidelines:

• Department example, "OIT_Wordpress" or "ENGR_Security".
• Module example, "GRC_Admin" or " HRM_Admin"
• For example, "CALS_HORT" can be renamed to "CALS_Horticulture" but "ENGR_AIF" might be seen as too long if renamed to "ENGR_Analytical_Instrumentation_Facility".
• While ServiceNow allows special characters in group names, they can cause issues with some integrations or workflows. Stick to alphanumeric characters and avoid using spaces, special characters (with the exception of underscores).
• In addition to a descriptive name, a good group description can help provide clarity on the purpose and function of the group. Keep the description concise, but include enough information to help users understand what the group is for and how it relates to their work.

Naming convention requirements:

• For example, "HR".
• For example, "HR_Benefits" or "HR_Payroll"
• For example, "HR_Benefits_Support" or "HR_Payroll_Approvers"
• If the purpose of the group being created is strictly for report sharing, please ensure that you select the "Permissions" group type in the catalog item.
• For naming conventions - Please ensure that you PRECEDE your group name with "Report". If you do not, your group request will be rejected and you will have to resend a new request with the proper naming convention.
• Write a clear and concise group description in the appropriate box.

Your browser or one of your plugins is not allowing JavaScript to be run. This is a bummer since the ServiceNow Developers Site is dynamic and depends on JavaScript to function. If you want to visit this site, please disable the plugin, activate this site for JavaScript or use another browser.

Get the Reddit app

Subreddit for ServiceNow users, admins, devs, platform owners, CTOs and everything in between.

Limit Visibility based on Group(s)

I'm looking to limit the Incidents, Requests, Requested Items and Tasks to where a Fulfiller can only see records assigned to their group.

We don't want someone from the IT group to see a ticket going to HR for a pay raise, as an example, but both groups need fulfillers.

This seems like I'm missing something obvious.

Edit: Including limiting what Global Search and whatnot will give back in the results

By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .

Enter the 6-digit code from your authenticator app

You’ve set up two-factor authentication for this account.

Enter a 6-digit backup code

Create your username and password.

Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.

Reset your password

Enter your email address or username and we’ll send you a link to reset your password

Check your inbox

An email with a link to reset your password was sent to the email address associated with your account

Choose a Reddit account to continue

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

ServiceNow REST API - Querying tables - grouping conditions

I need to query tables in ServiceNow via its REST API while using multiple conditions grouped as following:

( (Condition1 AND Condition2) OR (Condition3 and Condition4) ) AND Condition5 AND Condition6

Does anyone know if this is possible, and if so, how? I've looked into the documentation but I'm not able to understand if it explains how to solve my problem.

Edit 1: I forgot to mention that I did try using parenthesis in my REST calls but it has not worked.

• servicenow-rest-api

2 Answers 2

The only way I've figured out how to do it is using the ^NQ (New Query) operator.

In SQL the query would look like this:

So my query looks like this:

So you're actually duplicating the common filter (state) and using different filters on each side of the ^NQ.

I guess you could say it would be the equivalent of a UNION in SQL.

The easiest method that I found out is to go to Studio and go to your table.

Show all records from table.

There you create the filter with your conditions by clicking filter icon.

Run the filter.

Then copy query from created hyperlink (next to filter icon) with right click -> Copy query. You can also copy the whole URL. It will look like this:

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged servicenow-rest-api or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• how do I fix apt-file? - not working and added extra repos
• How does the phrase "a longe" meaning "from far away" make sense syntactically? Shouldn't it be "a longo"?
• Sum[] function not computing the sum
• What does "dare not" mean in a literary context?
• Approximations for a Fibonacci-Like Sequence
• Can the canonical Eudoxus-real representatives be defined easily?
• Does Psalm 127:2 promote laidback attitude towards hard work?
• Were the common people in Germany ("good germans") morally co-responsible of the war crimes of their government?
• Vivado warning: extra semicolon in not allowed here in this dialect; use SystemVerilog mode instead
• What's the purpose of scanning the area before opening the portal?
• Textile Innovations of Pachyderms: Clothing Type
• Visuallizing complex vectors?
• Is reading sheet music difficult?
• I'm a little embarrassed by the research of one of my recommenders
• Is it a good idea to perform I2C Communication in the ISR?
• What is the translation of this quote by Plato?
• Is "She played good" a grammatically correct sentence?
• Topos notions coming from topology and uniqueness of generalizations
• Help identifying a board-to-wire power connector
• Applying to faculty jobs in universities without a research group in your area
• Questions about LWE in NIST standards
• Generate all the free polyominoes who's width and height is no larger than 8
• Can the planet Neptune be seen from Earth with binoculars?
• Sub-/superscript size difference between newtxmath and txfonts