Roles control access to features and capabilities in modules in the HR
application.
The HR Service Delivery
Scoped app prevents users outside of the HR organization from accessing HR data.
Scoped roles for both HR case workers and HR clients (employees, contractors, alumni, and
others) grant access to HR services. Users without an HR scoped role cannot view HR cases or
HR profile information.
Only the HR Administrator [sn_hr_core.admin] can assign scoped HR roles.
To configure your system, you must log in as a System Administrator [admin]. The HR
Administrator [sn_hr_core.admin] role is contained in the System Administrator [admin] role.
The combination of these two roles allows a user to perform all tasks associated with
configuring your system.
After system configuration, ensure that only the HR Administrator [sn_hr_core.admin] role has
access to sensitive information. Remove the HR Administrator role from System Administrator
[admin] role to prevent the System Administrator from viewing sensitive HR information.
After granting access to a role, all the groups or users assigned to the role also have
access. Roles can contain other roles, and grants access to any role that contains it.
Note:
IT System Administrators (admin) and HR scoped users can still impersonate ServiceNow users.
When impersonating a user with a scoped HR role, an admin or any HR scoped user cannot
access features granted by that role. HR cases and profile information are not accessible.
Only users with the scoped HR Administrator [sn_hr_core.admin] can see case details when
impersonating other scoped HR users. Also, admin cannot change the password of any user with
a scoped HR role. For more information on impersonating a user, see
Impersonate a user.
- HR Performance Analytics
- To configure the Performance Analytics (PA) dashboard, assign the Performance Analytics
Administrator [pa_admin] role to the HR Administrator [sn_hr_core.admin] role.
Note: Only
the System Administrator [admin] can assign PA roles to employees.
Role |
Description |
System Administrator [admin] |
Also known as admin and IT admin. Within the global scope of the application,
has access to all system features, functions, and data, regardless of security
constraints.
- Grant users with the delegated developer role [delegated_developer].
- Build export sets, move content between instances (development to
production), and clone instances.
- Run guided setup or modules to manage:
- Company-wide objects like user, departments, and locations.
|
HR Administrator [sn_hr_core.admin] |
|
Delegated Developer [delegated_developer] |
When added to the HR Administrator role, can:
- Access, and manage HR objects like HR profile, cases, groups, roles, service
catalog objects, and Service Portal.
- Modify HR application-related objects like skills, Knowledge Base, chat,
notifications, surveys, reports, integrations, and SC.
- Modify application structures like tables, business rules, and client-side
validation,
|
User with HR role |
There are specific HR roles that allow users access to specific areas of the
system. For example, the HR profile reviewer [sn_hr_core.profile_reader] role can
read profiles, but not edit them. |
User without HR role |
Users without an HR role cannot access HR Service Delivery. |
User with no role |
Users with no role cannot see any HR information even on HR cases they created
or have HR tasks assigned to them. |
After system configuration, to ensure that only HR Administrator has access to sensitive
information and prevent the System Administrator from accessing sensitive information: