Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Control user access to application services

Log in to subscribe to topics and get notified when content changes.

Control user access to application services

Assign user roles to service groups to grant users access to application services in your organization. Your organization may restrict access to some services for security or secrecy reasons.

Before you begin

Make sure that you have performed the user provisioning tasks for the users you want to grant access:
  1. Add users to user groups.
  2. Create new roles.
  3. Assign roles to users or user groups.

Also, make sure that you have created service groups as described in Group application services.

Role required: app_service_admin or sm_admin

About this task

In the base system, the following roles provide access to application services:
Creates and modifies application services, creates service groups, views, and edits application service maps.
Views application service maps. The itil role that serves as the basic helpdesk technician role contains the app_service_user role.
Service Mapping provides these preconfigured roles:

Sets up the Service Mapping application. Maps, fixes, and maintains application services. Also performs advanced configuration and customization of the product. Assign this role to application administrators.


Views maps for operational application service to plan change or migration, as well as analyze the continuity and availability of services. Assign this role to application users.


Provides information necessary for successful mapping of an application service. Once a service is mapped, this user reviews the results and either approves it or suggests changes. Assign the sm_app_owner role to users who own application services and are familiar with the infrastructure and applications that make up the services.

Event Management provides these preconfigured roles:

Has read and write access to all Event Management features to configure Event Management.
In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, and run remediations.
Has read access to all Event Management features. Has write access to alerts to manage the alert life. Has the itil role to be able to manage incidents that are created from alerts.
Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.

Typically, enterprises have hundreds of services which makes it impractical to manage them individually. Service groups can make service lists much shorter and easier to manage, especially in large organizations or service providers. In a hierarchy of service groups, access to a parent service group automatically grants access to all the child service groups.

Users inherit permissions from roles that are assigned to them. You can assign some roles directly to service groups to allow all users with this role to access all application services belonging to this group. However, most enterprises choose to organize their roles as a hierarchy. It helps to manage roles across multiple ServiceNow applications. For example, the Service Mapping administrator [sm_admin] can be part of a broader administrator role like administrator [admin]. You can add users to user groups and then assign roles to the user groups to give permissions of this role simultaneously to all the group users.
Figure 1. Assigning a role to an application service group

Assigning a role to an application service group for user access

By default, all services are assigned to the All service group that lets all users view and manage application services. When you assign a role to a service group, the users with this role can access only application services in this service group. To enable users with this role to access other services, assign this role to the respective service group.

Note: Some references in the user interface to business services are actually references to application services.


  1. Navigate to either of the following:
    • Configuration > Application Services > Service Group Responsibilities.
    • If Service Mapping is activated: Service Mapping > Services > Service Group Responsibilities.
    • If Event Management is activated: Event Management > Services > Service Group Responsibilities.
  2. Click New and fill out the Business Service Group Responsibilities form.
    Field Description
    Business Service Group Service group to which you want to assign a role.

    Role you want to assign to the selected service group.

    For example, financial_services_admin.

  3. Click Submit.


To manage access to services that contain sensitive financial information in your organization:
  1. Organize the services into the Financial Services group.
  2. Create a new user role, financial services administrator [financial_services_admin] role, that contains the [app_service_it] role.
  3. Assign the Financial Services administrator role to the Financial Services group.
As a result, only users with the Financial Services administrator role can access application services belonging to the Financial Services group.