Manage HR roles

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage HR roles

    This documentation explains how roles in the ServiceNow HR Service Delivery Scoped app manage access to HR features and data. Roles restrict access to HR modules, ensuring that only authorized HR personnel and clients (employees, contractors, alumni) can view or interact with sensitive HR information such as cases and profiles. Proper role assignment and segregation of duties help maintain data security and compliance.

    Show full answer Show less

    Key Features

    • Scoped HR Roles: Roles such as HR Administrator, HR case worker, and HR client define access levels to HR services and data. Only users with assigned HR scoped roles can access HR records.
    • Role Assignment: The HR Administrator (snhrcore.admin) role exclusively assigns HR scoped roles. System configuration requires System Administrator (admin) privileges, but post-setup, removing HR Administrator role from System Admin helps protect sensitive data.
    • Role Hierarchies and Inheritance: Roles can contain other roles, granting nested access. Assigned roles propagate access to associated users and groups.
    • Impersonation Restrictions: System Administrators impersonating HR users cannot access HR features unless they hold the corresponding HR scoped roles.
    • Performance Analytics Integration: Assign the Performance Analytics Administrator (paadmin) role to the HR Administrator to configure HR analytics dashboards. Only System Administrators can assign PA roles.
    • Delegated Developer Role: When combined with HR Administrator, this role enables managing HR objects, application structures, and extending HR application functionality.
    • HR Groups and Skills: Define HR groups by job skills to facilitate auto-assignment of HR agents to cases based on qualifications.
    • Escalation Rules: Configure rules to automatically route HR cases between support tiers considering agent skills and workload.
    • Client Roles: Control HR functionality access for employees, allowing licensing for all or specific user segments based on location or group.

    Key Outcomes

    • Controlled Access: Users have access strictly aligned with their HR roles, preserving confidentiality of HR cases and sensitive profile data.
    • Segregation of Duties: Separation of HR Administrator duties from System Administrator reduces risk of unauthorized access to sensitive HR information.
    • Operational Continuity: Scheduled HR jobs run under users with HR Admin roles, ensuring processes continue without exposing sensitive data to all System Administrators.
    • Security Best Practices: Minimum numbers of scoped admins are enforced by system properties to maintain proper governance of HR administrative roles.
    • Efficient HR Case Management: Skills-based groups and escalation rules streamline case handling and improve HR service delivery.

    Roles control access to features and capabilities in modules in the HR application.

    The HR Service Delivery Scoped app can help prevent users outside of the HR organization from accessing HR data.

    Scoped roles for both HR case workers and HR clients (employees, contractors, alumni, and others) grant access to HR services. Users without an HR scoped role typically cannot view HR cases or HR profile information. For information on all the roles installed with Case and Knowledge Management plugin, see Components installed with Case and Knowledge Management.

    Only the HR Administrator [sn_hr_core.admin] can assign scoped HR roles.

    To configure your system, you must log in as a System Administrator [admin]. The HR Administrator [sn_hr_core.admin] role is contained in the System Administrator [admin] role. The combination of these two roles allows a user to perform all tasks associated with configuring your system.

    After system configuration, ensure that only the HR Administrator [sn_hr_core.admin] role has access to sensitive information. Remove the HR Administrator role from System Administrator [admin] role to help prevent the System Administrator from viewing sensitive HR information via forms, lists and UI.

    After granting access to a role, all the groups or users assigned to the role also have access. Roles can contain other roles, and grants access to any role that contains it.
    Note:
    IT System Administrators (admin) can still impersonate ServiceNow users. When impersonating a user with an HR scope-protected role, an admin cannot access features granted by that role unless the admin already possesses those HR scope-protected roles. For more information on impersonating a user, see Impersonate a user.

    HR Performance Analytics

    To configure the Performance Analytics (PA) dashboard, assign the Performance Analytics Administrator [pa_admin] role to the HR Administrator [sn_hr_core.admin] role.
    Note:
    Only the System Administrator [admin] can assign PA roles to employees.
    Table 1. Roles
    Role Description
    System Administrator [admin] Also known as admin and IT admin.

    Within the global scope of the application, has access to all system features, functions, and data, regardless of security constraints.

    • Grant users with the delegated developer role [delegated_developer].
    • Build export sets, move content between instances (development to production), and clone instances.
    • Run guided setup or modules to manage:

      Company-wide objects like user, departments, and locations.
    HR Administrator [sn_hr_core.admin]
    This role can:
    • Assign users any of the HR roles.
    • View and access the HR Service Portal.
    • View, create, and edit HR cases in HR Case Management.
    • Access and create HR tasks inside an HR case using the Add Task related link.
    • View, create, and edit HR profiles including sensitive information like salary.
    • Create HR profiles and generate for multiple users through custom criteria.
    • Associate any user to HR roles, groups, and skills.
    • View and access HR Administration.
    • View and access HR Dashboards & Reports.
    • Run Application View to manage:
      HR objects like HR roles and profiles.
      Note:
      When the Human Resources Scoped App: Core (com.sn_hr_core) and Lifecycle Events (com.sn_hr_lifecycle_events) plugins are active, the Lifecycle Admin (sn_hr_le.admin) role is part of HR Admin (sn_hr_core.admin).
    Delegated Developer [delegated_developer] When added to the HR Administrator role, can:
    • Access, and manage HR objects like HR profile, cases, groups, roles, service catalog objects, and Service Portal.
    • Modify HR application-related objects like skills, Knowledge Base, chat, notifications, surveys, reports, integrations, and SC.
    • Modify application structures like tables, business rules, and client-side validation,
    User with HR role There are specific HR roles that allow users access to specific areas of the system. For example, the HR profile reviewer [sn_hr_core.profile_reader] role can read profiles, but not edit them.

    After system configuration, to help prevent the System Administrator from accessing sensitive information:

    • Remove the HR Administrator [sn_hr_core.admin] role from System Administrator [admin].
      • The base system requires a user with the System Administrator role to run scheduled jobs. For details on HR scheduled jobs, see Components installed with Case and Knowledge Management.
      • To ensure the scheduled jobs run, change the user in the Run as field for each scheduled job to a user that has the HR admin role.
        Note:
        Changing the user allows the scheduled jobs to run, but only a user with the System Admin role can view and run a scheduled job on demand.
      • Change the scope of the application to Human Resources: Core application. For information on changing the scope, see Contextual development edit messages.
      • Reveal the Run as field. For information on revealing hidden fields on a form, see Configuring the form layout.
    • Log out and log back in to ensure that the changes take effect.
      Note:
      Ensure that you have completed setup before removing the HR Administrator role.
      Minimum number of scoped admins required
      System properties determine the minimum number (default is two) of scoped admins that must be active for an application.
      To list the properties, enter sys_properties.list in the filter navigator and search for the property to configure.
      The list of system properties and what scoped admin can access:
      System properties
      Table 2. Properties
      Property Name Scoped Admin
      sn_hr_core.min_admin_count HR admin [sn_hr_core.admin]
      sn_hr_ef.min_admin_count Employee Document Management admin [sn_hr_ef.admin]
      sn_hr_integrations.min_admin_count HR Integration Admin [sn_hr_integrations.admin]
      sn_hr_le.min_admin_count HR Lifecycle Event Admin [sn_hr_le.admin]
      sn_hr_le_pa.admin_count HR Lifecycle Event Performance Analytics Admin [sn_hr_le_pa.admin]
      sn_hr_pa.min_admin_count HR Performance Analytics Admin [sn_hr_pa.admin]
      sn_hr_pj.min_admin_count HR Parental Journey Admin [sn_hr_le_pj.admin]
      sn_hr_sp.min_admin_count HR Service Portal Admin [sn_hr_sp.admin]
      sn_hr_va.min_admin_count HR Virtual Agent Admin [sn_hr_va.admin]
      sn_templated_snip.min_admin_count Response Template Admin [sn_templated_snip.admin]
      sn_hr_ws.min_admin_count HR Agent Workspace Admin [sn_hr_ws.admin]