Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Manage HR roles

Log in to subscribe to topics and get notified when content changes.

Manage HR roles

Roles control access to features and capabilities in modules in the HR application.

The HR Service Delivery Scoped app prevents users outside of the HR organization from accessing HR data.

Scoped roles for both HR case workers and HR clients (employees, contractors, alumni, and others) grant these users access to HR services. Users without an HR scoped role are blocked from viewing HR cases or HR profile information.

Only the HR Administrator [sn_hr_core.admin] can assign scoped HR roles. These roles can be assigned to inactive users to create HR cases for new hires and alumni.

IT System Administrators [admin] can still impersonate ServiceNow users. However, when impersonating a user with a scoped HR role, an admin is not able to access features granted by that role, including HR cases and profile information. Also, admin cannot change the password of any user with a scoped HR role.

To configure your system, you must log in as a System Administrator [admin]. The HR Administrator [sn_hr_core.admin] role is contained in the System Administrator [admin] role. The combination of these two roles allows a user to perform all tasks associated with configuring your system.

After system configuration, ensure that only the HR Administrator [sn_hr_core.admin] role has access to sensitive information. Remove the HR Administrator role from System Administrator [admin] role to prevent the System Administrator from viewing sensitive HR information.

After access has been granted to a role, all the groups or users assigned to the role are granted the access. Roles can contain other roles, and any access granted to a role is granted to any role that contains it.
Note: IT System Administrators (admin) and HR scoped users can still impersonate ServiceNow users. When impersonating a user with a scoped HR role, an admin or any HR scoped user cannot access features granted by that role. HR cases and profile information cannot be accessed. Only users with the scoped HR Administrator [sn_hr_core.admin] can see case details when impersonating other scoped HR users. Also, admin cannot change the password of any user with a scoped HR role. For more information on impersonating a user, see Impersonate a user .
Role Description
System Administrator [admin] Also known as admin and IT admin.

Within the global scope of the application, has access to all system features, functions, and data, regardless of security constraints.

  • Grant users with the delegated developer role [delegated_developer].
  • Build export sets, move content between instances (development to production), and clone instances.
  • Run guided setup or modules to manage:
    • Company-wide objects like user, departments, and locations.
HR Administrator [sn_hr_core.admin]
This role can:
  • Assign users any of the HR roles.
  • View and access the HR Service Portal.
  • View, create, and edit HR cases in HR Case Management.
  • Access and create HR tasks inside an HR case using the Add Task related link.
  • View, create, and edit HR profiles including sensitive information like SSN and salary.
  • Create HR profiles and generate for multiple users through custom criteria.
  • Associate any user to HR roles, groups, and skills.
  • View and access HR Administration.
  • View and access HR Dashboards & Reports.
  • Run Application View to manage:
    • HR objects like HR roles and profiles.
    Note: Lifecycle Admin (sn_hr_le.admin) is part of HR Admin (sn_hr_core.admin) when the Human Resources Scoped App: Core (com.sn_hr_core) and Lifecycle Events (com.sn_hr_lifecycle_events) plugins are activated. To use the scoped admin features, you must remove the Lifecycle Admin role from the HR Admin role.
  • Run the Update Client Roles scheduled job.
    Note: The base system assigns the HR Admin (hradmin) user to this scheduled job. If you delete the HR Admin user, ensure that you assign another user with the HR admin (sn_hr_core.admin) role to this scheduled job.
Delegated Developer [delegated_developer] When added to the HR Administrator role, can:
  • Access, and manage HR objects like HR profile, cases, groups, roles, service catalog objects, and Service Portal.
  • Modify HR application-related objects like skills, Knowledge Base, chat, notifications, surveys, reports, integrations, and SC.
  • Modify application structures like tables, business rules, and client-side validation,
User with HR role There are specific HR roles that allow users access to specific areas of the system. The HR profile reviewer [sn_hr_core.profile_reader] role can read profiles, but not edit them.
User without HR role Users without an HR role cannot access HR Service Delivery or the Employee Service Center.
User with no role Users with no role cannot see any HR information even on HR cases they created or have HR tasks assigned to them.
After system configuration, to ensure that only HR Administrator has access to sensitive information and prevent the System Administrator from accessing sensitive information:
  • Remove the HR Administrator [sn_hr_core.admin] role from System Administrator [admin].
  • Ensure that you have at least two users with the HR Administrator role. If you assign only one person with the role and that person is deactivated, you no longer have a user that can perform the HR admin duties.
  • Log out and log back in to ensure that the changes take effect.
    Note: Ensure that you have completed setup before removing the HR Administrator role.
    Note: Scheduled jobs that require the Admin role do not run. But, all HR scheduled jobs should run after the Admin role is removed.