Chapter Two, user administration. In this chapter, we'll be talking about user account configuration, and groups and roles. User Account configuration. A user is an account with access to ServiceNow instance. Each user has the capability to perform operations adhering to their roles and designated privileges. user information is stored as records in sis underscore user table.
To view the profile information of current user, simply go to the Self Service application and under it in my profile module. It is worth noting that we can manage the accessibility of individuals within ServiceNow instance by adding them as users within the table and assigning them to groups. Users are logged into ServiceNow by one of the following methodological first is manually This is the traditional method Entering username and password and upon correct credentials, users provided the access to application same as other web based applications. This methodology is maintained within ServiceNow itself. And this is what we will be using in our use cases to next is LD AP LD AP stands for Lightweight Directory Access Protocol. It provides the access and maintenance of distributed directory information services over IP network does outside of ServiceNow.
There's a read only connection maintained between ServiceNow and LDAP data that is ServiceNow can not modify customer LD AP data. There are two aspects to the integration between ServiceNow and LD AP, or as I'm going to call it as LDAP. First is data population. This method inherits user records from LDAP database and populate it into the service Now instance, in case of data inconsistencies, user gets the option to create, ignore or skip specific user records. In many cases, regular data refresh takes place between the LDAP database and ServiceNow instance for data integrity. Next is authentication.
By authenticating the user leveraging credentials from the LDAP server, users are unable to use ServiceNow application for several internal functions within the boundary of company domain. Alongside the security policies and protocols already set by the company can be utilized assets such as user account lockdown after a certain number of attempted logins, or etc. The LDAP server will send a yes or no message to ServiceNow and same policies are enforced to the application with minimal to no effort. Next is SSP. SSO stands for single sign on or external authentication. This methodology utilizes authentication standards such as sa ml open ID, or other company specific options, which enabled user to log in once and upon correct credentials.
User is provided access to multiple software systems without having to real aughh in similar to LDAP SSO is also managed outside of ServiceNow. This comes as a highly advantages and most preferred methodology. Since large corporations maintain multiple user databases and managing all of them together may get a bit cumbersome. Last is SS e SS stands for Employee Self Service. This methodology uses intranet standards where an employee logs into their company folder and once authenticated, they can access ServiceNow instance without Having to enter username or password again. It is worth noting that most of our applications today, including ServiceNow, don't store passwords within them.
It is rather transmitted as HTTPS messages, which is decoded at the destination end, providing accessibility groups and roles. A group is a collection of users with common interests such as handling an incident, approving or denying change requests, receive email notifications, etc. With several users grouped together, it becomes easier to refer to its users collectively for operations. Furthermore, groups provide a means to easily assign and manage roles and permissions designated to users. This facilitates the identification of a smaller set of users based on their roles and skill assignment. groups as records within sis underscore user underscore group table Some of the common examples of groups include chat support group, network analysts, group, training group, service desk, group, ID, administrators, group, etc.
It's also again worth noting that a user can be part of more than one group. Because I might be a part of the database group, I might be part of the network group, I might be a part of the IT administrators group as well. Depending on my responsibilities, there are two ways in which group can be created. First is manually like we can create groups manually within ServiceNow and assign users to them. When we create a group and define a user record. It automatically gets added to the group.
And second is the LDAP import. Users can import groups from LDAP database into ServiceNow groups simply acts as part of a hierarchical structure with users indirect assigning tasks as mentioned before For tasks such as incidents, change requests cetera need to be assigned to users or groups. This is achieved in two separate ways. First is the assignment look up rules. In here. assignment of tasks, such as incidents is based on parameters like category, subcategory, location or configuration items.
These fields which determine the assignment can be modified within the system policy and under the system policy application, the data lookup definitions module. Next is assignment. In here, assignment of tasks is performed based on conditions or scripts. It is recommended to assign tasks to groups rather than specific users, the users with the group can then distribute the work among themselves. Also, service now enables users to preset conditions based on which the application can itself assign tasks to a group. Using data lookup rules or assignment rules.
Role, a role is defined as the permission granted to users based on which they are provided access to certain parts of a system and perform operations over it. A user may have several roles assigned alongside a roll may have further sub roles within it. Thus, once a parent role is granted, all subsequent child roles are automatically assigned like inherently roles are stored as records in sis underscore user underscore role table. There are certain types of roles provided within ServiceNow first is system administrator. A system administrator or admin has access to all features and modules with the service now, a system administrator must be chosen meticulously as there usually is critical data such as employee personal information are related data and more, which must be protected from malicious users. For these scenarios, we can create custom admin roles with broad access of services.
Specialized adminstrator, as mentioned just now, specialized admin roles the delegated admins have access to majority of application features and can act as administrator to most of the groups. And to use this personalized underscore form, rule or role is used to manage all forms and lists within the service now. Next is fulfiller or ITIL ITIL users have fun, which is the approver underscore user at least or more roles assigned within ServiceNow. These users have complete functional access to all roles assigned to them. Next is requester ss, a requester has limited access to certain There's no features and data. They use self service and service catalog applications within ServiceNow.
They're not designated any roles and are usually enabled to make requests, such as incidents or change requests cetera. And the final type of role is approver. These users can perform all requested operations and can view or modify them. They are provided with only one role, which is approver underscore user role. It is worth noting that whenever a new role is created, system administrators are automatically granted access to that troll. Delegate role delegator admin can grant tasks between members of different groups, thereby managing the workload efficiently.
It makes use of role delegation plugin and zone underscore delegated for the other user designated to receive tasks and actions. raid on them is called a delegate. Example. Consider role delegator with delegating privileges to service desk, and database crew. In case needed, the delegator may grant access to database group for tasks usually assigned to the Service Desk, or vice versa is also true. Note in email notification delegation, the delegate user may get confused as the notifications received, it will say that the incidents are assigned to them.
Thus, it's always a good practice to let the delegate know of their additional roads beforehand. application and module security applications and modules are secured through the governing roles. Example. In the figure here. The following application menus are accessible by ITIL role and if the role field is blank, that means All Users can have access to that application. Correspondingly, if role field for module is left blank, then users will access to the application and its root level will inherently have access rights to the corresponding module.
Sample use case 2.1. First, we're going to add a user. To add a user into the ServiceNow instance, we go to user administration and users. So under user administration application, we have the users module, right and in the users module, we are gonna create the new user so we're going to create a new record by clicking this new button. Now the form to add a new user is being shown and the Add some details. So anything okay?
Department? Let's put it Is it right? I'm gonna put password as password, right? And let's put an email to pro rpa.com. Right and looks like we have, we don't have any other mandatory earning like fields that we need to fill out. Right.
So once we have filled the form, if you remember last time, we can either submit it and that way we will get back to the users the current user list or we can simply save by going to the context menu and save that tempted to save. So I have this application anytime I do this. So, summit. Let's do this. Okay. Now this is a separate application altogether and nothing.
Let me even again. So you know, you'll get the notification that says primary email device period for web chat. Okay, so I'm going to search and you can see that the user record has been successfully created. Right. Okay. So once we have the record created, I want to open it again.
Let's see, I did just the same option. It's pretty much the same thing. Right. And now I'm going to scroll down to view tabs for roles groups and delegate lists, right? Currently, because the record is pretty new, the user of Apple Jen is a pretty new record. pretty new user in the system.
So this record doesn't have any roles or groups or delegates assigned to, right. So what we are going to do is and just to let you know, in case you're not seeing these tabs, you know, you can take out the tab forms option out here and then you have separate tables for each and every view. But I keep it like very congested, just like for my preference for my sake. So that totally depends on your you your convenience and how you feel is more appropriate for you and the company as well. So we have created the user record successfully. Now, the next option we are going to do is we're going to add new group with this newly created user assigned to it.
Right, so we have successfully created the user record. And we have also verified that no records. No road records are present for this particular user. So we're going to create a new group first, right? Because that's the intent. And the overall look and feel of each and every tab is pretty much the same.
So we click on new, right, and let's add this option, something like a pro RP admin or something like that. Okay, that's the name of the group that I'm giving. And if there is an email to the group that way, which like which will be sent out to a group and all the corresponding individual users, and then we can provide a group email id as well. So I'm going to put it as the pro RPA admin at pro rp.com. Okay, right, and it's good to provide a description pro RPA admin. All right.
And once we have provided these details, we hit submit. So now, because we created this group inside the user record, so automatically, this user has been assigned to this particular group, where user equals to web object, this is the group, Greg. And similarly, in the next section will now assign roles to the group. So we also discussed this before, that it is a highly recommended practice to assign roles to groups, rather than individual users for better management. So in the group record that just that was just created, right? We go into the this record, and in here, we added all right, so let's create a row or something added.
And what do you want to do? Which role do you want to assign the group to? So I want to put the admin group admin role, right? So I hit save. And you can see adding role, admin to gender variable and to the group, zebra RP admin. Right.
So this confirms this notification confirms that the user group as well as the individual users have been assigned the admin role. Right? Okay, so this is pretty neat, easy, and it was a small chapter. And even the exercises are pretty straightforward. You can hit update or just simply save. And you can see even the roles would have the admin, the group is admin and the whole group has been providing the admin role.
Right? So there shouldn't be any concerns, I guess. In this exercise, but as we progress in chapters, it's going to be more and more complex. And for you, I'm going to give an additional exercise to add two other user to other groups as part of the Z Pro RP admin group. Right? So we have the admin group and inside it, we are going to have two sub groups.
One will be called the Z Pro RPM marketing group. And the other one is called Z Pro RPA Product Development Group. Right? I can, I can do one of those and I will pause the video and do the next one as well. But I want you guys to try it out. Or if not, I mean, that's totally fine.
I can always help. So let's create these two groups. I'm gonna name them as Z Pro RPA under the part of the Z Pro RP admin, right? So I'm going to put it as the pro Pa marketing group, right? And I'm also gonna name it as equal RP bar. Good thing at pro rpa.com.
And we need to have a period for it right? So pro IP admin group, right? And we can name it as marketing group for pro rpa.com. Right. And we can hit submit our Yeah, that's totally fine. Right?
And we create another group, which will be again, the parent for which will be the admin group. And we're gonna name it as z PR pro RP product development. Cincy Pro, our PA. Okay, see RPA fraud dev At pro rpa.com, and again, I'm gonna put it as pro RP admin group. So last one, this is going to be a part of it right? And hit submit.
Okay, so these notifications always confirm that the groups have been created successfully. And anything any role or any delegation that need that happens in the pro RP admin group will be inherently passed on to the product development and to the marketing group as well. Right. And I hope that makes sense. Because hierarchically, you know, that's how we have discussed as well. Okay.
And now, I would ask you to, you know, probably create something of your own, your own groups learn these categories, how exactly they play around and What I would ask you is to, like whenever I'm, like, I always mentioned it beforehand, right? What I'm trying to do so rather pause the video, do it yourself and then try to validate whether what you have done makes sense, and is in line to some extent with the intent that that the exercise has been provided to you. Right. So the next exercise that we're going to try again, in these roles, and with the users itself is they are going to create two users. And these two groups that feed we just got Mike just with that we just configured, we're going to assign users to these two new users to these new two new groups, which is the marketing and product development.
Right? So let's create the user. Okay. For creating a user, you can either go insert or you can just go back for now. Create a new user. And here's the user ID, which is going to be z market.
Provide the first name is z. Mark and last name is pro RPA. Right, I'm providing the title as marketing manager. Now, you can always try looking up from here as well. If you don't have that, that's totally fine that works. If we do okay, and what's gonna be the department could have been anything we can leave it as is as well if you don't have a marketing department or anything yet, right.
Let's put the password as password. Same, just to keep it consistent. And for the email of the particular user, let's put it as z market at pro rpa.com. Right. So, here I am submitting this information the user has been created successfully. Now I'll create another user.
Right? And what I'll do is provide this as the prod and the first name as the product again last name as pro RPA. And we can provide this as Product Development Manager. Right, and password same as last one, password and z prod at pro rpa.com. Right. Okay.
Now, once both these users have been created successfully, I would ask you to assign users to these two groups, right? Because last time what we did was we went to the user record and we assigned the group to, but we have the user groups already created right? So, this time you would have to add a new group, but rather like add the existing group. So I just searched for priority I can always z broad, right. And that way if you know that it becomes much easier for you to add directed, right. Okay.
And this one was so this one was the proud right so the pro RPA Product Development Group is where we want this user to be added to. So we have selected that particular from this option and adding role admin to the zebra, right and update the record. Similarly, we'll put it as z mark. Okay, g market is here. And in the groups, we're going to add z Mark c pro Rp emarketing, because the marketing group is named like this. And save.
Right? So what I would have expected from you guys is to, once you fit into groups, and once you've created the users, when I said that, you know, assign the groups, the users to the groups, or vice versa, then you can do it either ways, right? You go to the user record, add the group in it, or you go to the groups and add the users data itself. Right either ways. Whatever. And once you have done this, it's a good way to check the roles inherited by each user due to the assignment of groups.
If you remember in the notification every time it showed the admin role has been assigned to that particular user, right? So you can check the admin role is there for z market profit group to user to? hope that makes sense, right? Because this particular group has already been assigned the role. So any user who will be assigned to the group will also automatically be inherently be assigned to that particular node as well. Okay.
All right. Next, we're going to create assignment true. In this module, we'll create an assignment rule where any incident which has the following keyword, bot be ot like the robot part, right in its short description field. will be assigned automatically to Z Pro RPM marketing group, right could have been any users could have been thousand users in that particular group. So any incident which will have the bot keyword will be automatically assigned to the group. And then either the ServiceNow administrator can do it or the ServiceNow application instance itself can assign that incident to any particular user within that group.
So, to do this, we'll go to assignment module within the system policy and rules. And in here, because it's going to be a new assignment rule, so we are going to click on new, right. And also another quick trick that you know, we get all these notification types of messages, which provides an explanation of what different fields mean. And we can toggle it on or off by simply clicking this question mark menu. Once we do that all these would disappear. But it's good, right?
If ServiceNow instance in itself is assisting us to make the best use out of it, then why not keep it on? Right? So usually I do that. So let's name this particular assignment rule something xe bought. And it's currently working on the incident table, right? Because any incident with the key word bought in its short description will be assigned to a particular group.
That's the intent. That's, that's the problem that you're trying to solve. So it's going to happen on the incident table, put in the conditions, we are going to put it as a short description and it contains the word pot. Makes sense? Easy right. And what should be done?
It should be it should be assigning to so click on the assigned to and do you want it for a particular user. for a particular group, we want it for a particular group. So we're gonna go through this lookup menu. And in here, Z Pro RPA is what I'm going to search and I want to put it to the marketing group. Although I mean, logically, I don't know if how much sense it makes. But technically, that's what we're trying to implement.
So any incident which will have the bot keyword and short description will be automatically assigned to the zebra RP marketing group. Right, and we hit submit, the assignment rule has been successfully created. Now, to validate whether this assignment rule works or not. We are going to go to a new incident. Right? We can either go to all incidents and create a new incident by clicking this new one like in the incident list, of course, but we can directly click the Create new module and automatically will have the incident detail.
So we're going to have anybody who called us right and Need demo on RP a bot, right? And description. The caller has has to showcase. They use it usage of RPF for some client work, I'm just putting something up right. And once we hit submit, right, the incident has been created and everything and if you open the incident, right automatically the assignment group has been chosen as the pro RV marketing. That means the assignment rule works perfectly.
So, an exercise for everybody to try. Let's we're going to put you know, wait time and with each and every module we are going to Keep, we're gonna keep putting the acquired knowledge to some of the other test, quick test, it's not gonna be very challenging unless I mentioned itself, it's going to be based on what we have done so far. So what I'm going to ask everybody is to edit a user record says the prod that we created and add or modify its manager field to z Mark pro Rp. That means the marketing user will now be the manager for the product development manager. He'll be hierarchically on sitting on top of the product development guy, right and in case the field doesn't exist, right, then recall how to configure new fields into a form. We discuss that in chapter one, and verify that the manager has been assigned successfully.
Right so another good exercise for you guys to try on and the Coming up