Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Control user access to business services

Log in to subscribe to topics and get notified when content changes.

Control user access to business services

Assign user roles to service groups to control user access to business or IT services in your organization.

Before you begin

Make sure that you have performed the user provisioning tasks for Service Mapping or Event Management users:
  1. Add users to groups.
  2. Create new roles.
  3. Assign roles to a usera user or user groups.

Make sure that you have created service groups as described in Organize business services into groups.

Role required: admin

About this task

Users inherit permissions from roles that are assigned to them. Service Mapping provides these preconfigured roles:

Sets up the Service Mapping application. Maps, fixes, and maintains business services. Also performs advanced configuration and customization of the product. Assign this role to application administrators.


Views business service maps to plan change or migration, as well as analyze the continuity and availability of services. Assign this role to application users.


Provides information necessary for successful mapping of a business service. Once a service is mapped, this user reviews the results and either approves it or suggests changes. Assign the sm_app_owner role to users who own business services and are familiar with the infrastructure and applications that make up the services.

Event Management provides these preconfigured roles:

Has read and write access to all Event Management features to configure Event Management.
In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, and run remediations.
Has read access to all Event Management features. Has write access to alerts to manage the alert life. Has the itil role to be able to manage incidents that are created from alerts.
Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.

Typically, enterprises have hundreds of services which makes it impractical to manage them individually. How you organize business, manual or technical services, depends on the user and service provisioning policies of your enterprise.The relation between business services in groups is purely logical and the same business service can be part of more than one group. For more information about service groups, see Organize business services into groups.

You can also have a hierarchy of service groups with some groups embedded within others. If users have access to a parent business service group, they automatically have access to all its child groups.

By assigning a Service Mapping role to a service group, you allow all users with this role to access all services belonging to this group.
Figure 1. Assigning a role to a service group

Assigning a role to a business service group for user access

In the base system, all services are assigned to the All service group that lets all users view and manage the services. When you assign a role to a service group, the users with this role can access only IT services in this service group. Users cannot access any IT services, which are not part of that service group.

You can give access to services to existing or new users. You can also add users to groups to assign roles simultaneously to multiple users.

You can assign some roles directly to business service groups. However, most enterprises choose to organize their roles as a hierarchy. It helps to manage roles across multiple ServiceNow applications. For example, the Service Mapping administrator [sm_admin] can be part of a broader administrator role like administrator [admin]. By assigning roles to user groups, you give permissions and rights of this role to all users belonging to the same group.

When you delete a business service group, business services in the group are not deleted. The connection between the role and the services making up this group (responsibilities) are removed.


  1. If using Service Mapping, navigate to Service Mapping > Services > Service Group Responsibilities.
  2. If using Event Management, navigate to Event Management > Services > Service Group Responsibilities.
  3. Click New.
  4. In the Business Service Group field, enter the name of the group.
  5. In the Role field, enter the name of the role.
    For example, evt_mgmt_admin.
  6. Click Submit.