Manage HR roles

Roles control access to features and capabilities in modules in the HR application.

The HR Service Delivery Scoped app prevents users outside of the HR organization from accessing HR data.

Scoped roles for both HR case workers and HR clients (employees, contractors, alumni, and others) grant these users access to HR services. Users without an HR scoped role are blocked from viewing HR cases or HR profile information.

Only the HR Administrator [sn_hr_core.admin] can assign scoped HR roles. These roles can be assigned to inactive users to create HR cases for new hires and alumni.

IT System Administrators [admin] can still impersonate ServiceNow users. However, when impersonating a user with a scoped HR role, an admin is not able to access features granted by that role, including HR cases and profile information. Also, admin cannot change the password of any user with a scoped HR role.

To configure your system, you must log in as a System Administrator [admin]. The HR Administrator [sn_hr_core.admin] role is contained in the System Administrator [admin] role. The combination of these two roles allow a user to perform all tasks associated with configuring your system.

After system configuration, ensure that only the HR Administrator [sn_hr_core.admin] role has access to sensitive information. Remove the HR Administrator role from System Administrator [admin] role to prevent the System Administrator from viewing sensitive HR information.

After access has been granted to a role, all the groups or users assigned to the role are granted the access. Roles can contain other roles, and any access granted to a role is granted to any role that contains it.
Note: IT System Administrators (admin) can still impersonate ServiceNow users. However, when impersonating a user with a scoped HR role, an admin is not able to access features granted by that role, including HR cases and profile information. Also, admin cannot change the password of any user with a scoped HR role.
Role Description
System Administrator [admin] Also known as admin and IT admin.

Within the global scope of the application, has access to all system features, functions, and data, regardless of security constraints.

  • Grant users with the delegated developer role [delegated_developer].
  • Build export sets, move content between instances (development to production), and clone instances.
  • Run guided setup or modules to manage:
    • Company-wide objects like user, departments, and locations.
HR Administrator [sn_hr_core.admin]
This role can:
  • Assign users any of the HR roles.
  • View and access the HR Service Portal.
  • View, create, and edit HR cases in HR Case Management.
  • Access and create HR tasks inside an HR case using the Add Task related link.
  • View, create, and edit HR profiles including sensitive information like SSN and salary.
  • Create HR profiles and generate for multiple users through custom criteria.
  • Associate any user to HR roles, groups, and skills.
  • View and access HR Administration.
  • View and access HR Dashboards & Reports.
  • Run Application View to manage:
    • HR objects like HR roles and profiles.
    Note: Lifecycle Admin (sn_hr_le.admin) is part of HR Admin (sn_hr_core.admin) when the Human Resources Scoped App: Core (com.sn_hr_core) and Lifecycle Events (com.sn_hr_lifecycle_events) plugins are activated. To use the scoped admin features, you must remove the Lifecycle Admin role from the HR Admin role.
Delegated Developer [delegated_developer] When added to the HR Administrator role, can:
  • Access, and manage HR objects like HR profile, cases, groups, roles, service catalog objects, and Service Portal.
  • Modify HR application-related objects like skills, Knowledge Base, chat, notifications, surveys, reports, integrations, and SC.
  • Modify application structures like tables, business rules, and client-side validation,
User with HR role There are specific HR roles that allow users access to specific areas of the system. The HR profile reviewer [sn_hr_core.profile_reader] role can read profiles, but not edit them.
User without HR role Users without an HR role can view HR information on cases they created, created for them (opened for), or have HR tasks assigned to them.
User with no role Users with no role cannot see any HR information even on HR cases they created or have HR tasks assigned to them.
After system configuration, to ensure that only HR Administrator has access to sensitive information and prevent the System Administrator from accessing sensitive information:
  • Remove the HR Administrator [sn_hr_core.admin] role from System Administrator [admin].
    Note: Ensure that you have completed setup before removing the HR Administrator role.