Manage HR roles

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage HR roles

    Roles in the HR application control access to HR features and data, ensuring that only authorized users within the HR organization can view and manage sensitive HR information. The HR Service Delivery Scoped app restricts access to HR cases and profiles based on scoped roles assigned to HR case workers and HR clients such as employees and contractors. The HR Administrator role ([snhrcore.admin]) plays a central role in assigning these scoped HR roles and managing HR-related configurations.

    Show full answer Show less

    Key Roles and Their Permissions

    • System Administrator [admin]: Has full access to all system features and data globally, including HR modules. This role is necessary for configuration and system-wide administrative tasks.
    • HR Administrator [snhrcore.admin]: Manages HR roles, users, cases, profiles, and dashboards. This role is included within the System Administrator role by default but should be removed post-configuration to protect sensitive HR data.
    • Delegated Developer [delegateddeveloper]: When combined with HR Administrator, can modify HR application objects and structures such as profiles, cases, service catalog, and application logic.
    • Specific HR Roles: Such as HR profile reviewer, which restricts users to read-only access to HR profiles.

    Best Practices for Role Management

    • Only assign the HR Administrator role to users who require full HR administrative privileges.
    • After completing system setup, remove the HR Administrator role from the System Administrator role to prevent unauthorized access to sensitive HR information.
    • Change the “Run as” user on HR scheduled jobs to an account with HR Administrator privileges to ensure jobs execute properly, while maintaining control over on-demand job execution via System Administrator.
    • Assign the Delegated Developer role to HR Administrators who need to perform platform development and configuration tasks within the HR application.
    • Use client roles to control employee access to HR functionality, allowing service licensing by location or group.

    Additional Configuration and Security Notes

    • Impersonation by System Administrators respects HR scoped roles; admins cannot access HR features via impersonation unless they have those roles themselves.
    • Set minimum numbers of scoped admins for various HR roles using system properties to enforce governance and continuity.
    • HR Groups and HR Skills enable grouping users by job skills and automating case assignment based on skillsets.
    • Escalation rules can be configured to route HR cases automatically based on agent skills and workload.

    Key Outcomes

    By following these role management guidelines, ServiceNow customers can:

    • Ensure strict access control to sensitive HR data and processes.
    • Maintain proper segregation of duties between system and HR administrators.
    • Enable efficient HR service delivery through skills-based case routing and role-based access.
    • Protect sensitive employee information while empowering HR staff with necessary tools and data.

    Roles control access to features and capabilities in modules in the HR application.

    The HR Service Delivery Scoped app can help prevent users outside of the HR organization from accessing HR data.

    Scoped roles for both HR case workers and HR clients (employees, contractors, alumni, and others) grant access to HR services. Users without an HR scoped role typically cannot view HR cases or HR profile information. For information on all the roles installed with Case and Knowledge Management plugin, see Components installed with Case and Knowledge Management.

    Only the HR Administrator [sn_hr_core.admin] can assign scoped HR roles.

    To configure your system, you must log in as a System Administrator [admin]. The HR Administrator [sn_hr_core.admin] role is contained in the System Administrator [admin] role. The combination of these two roles allows a user to perform all tasks associated with configuring your system.

    After system configuration, ensure that only the HR Administrator [sn_hr_core.admin] role has access to sensitive information. Remove the HR Administrator role from System Administrator [admin] role to help prevent the System Administrator from viewing sensitive HR information via forms, lists and UI.

    After granting access to a role, all the groups or users assigned to the role also have access. Roles can contain other roles, and grants access to any role that contains it.
    Note:
    IT System Administrators (admin) can still impersonate ServiceNow users. When impersonating a user with an HR scope-protected role, an admin cannot access features granted by that role unless the admin already possesses those HR scope-protected roles. For more information on impersonating a user, see Impersonate a user.

    HR Performance Analytics

    To configure the Performance Analytics (PA) dashboard, assign the Performance Analytics Administrator [pa_admin] role to the HR Administrator [sn_hr_core.admin] role.
    Note:
    Only the System Administrator [admin] can assign PA roles to employees.
    Table 1. Roles
    Role Description
    System Administrator [admin] Also known as admin and IT admin.

    Within the global scope of the application, has access to all system features, functions, and data, regardless of security constraints.

    • Grant users with the delegated developer role [delegated_developer].
    • Build export sets, move content between instances (development to production), and clone instances.
    • Run guided setup or modules to manage:

      Company-wide objects like user, departments, and locations.
    HR Administrator [sn_hr_core.admin]
    This role can:
    • Assign users any of the HR roles.
    • View and access the HR Service Portal.
    • View, create, and edit HR cases in HR Case Management.
    • Access and create HR tasks inside an HR case using the Add Task related link.
    • View, create, and edit HR profiles including sensitive information like salary.
    • Create HR profiles and generate for multiple users through custom criteria.
    • Associate any user to HR roles, groups, and skills.
    • View and access HR Administration.
    • View and access HR Dashboards & Reports.
    • Run Application View to manage:
      HR objects like HR roles and profiles.
      Note:
      When the Human Resources Scoped App: Core (com.sn_hr_core) and Lifecycle Events (com.sn_hr_lifecycle_events) plugins are active, the Lifecycle Admin (sn_hr_le.admin) role is part of HR Admin (sn_hr_core.admin).
    Delegated Developer [delegated_developer] When added to the HR Administrator role, can:
    • Access, and manage HR objects like HR profile, cases, groups, roles, service catalog objects, and Service Portal.
    • Modify HR application-related objects like skills, Knowledge Base, chat, notifications, surveys, reports, integrations, and SC.
    • Modify application structures like tables, business rules, and client-side validation,
    User with HR role There are specific HR roles that allow users access to specific areas of the system. For example, the HR profile reviewer [sn_hr_core.profile_reader] role can read profiles, but not edit them.

    After system configuration, to help prevent the System Administrator from accessing sensitive information:

    • Remove the HR Administrator [sn_hr_core.admin] role from System Administrator [admin].
      • The base system requires a user with the System Administrator role to run scheduled jobs. For details on HR scheduled jobs, see Components installed with Case and Knowledge Management.
      • To ensure the scheduled jobs run, change the user in the Run as field for each scheduled job to a user that has the HR admin role.
        Note:
        Changing the user allows the scheduled jobs to run, but only a user with the System Admin role can view and run a scheduled job on demand.
      • Change the scope of the application to Human Resources: Core application. For information on changing the scope, see Contextual development edit messages.
      • Reveal the Run as field. For information on revealing hidden fields on a form, see Configuring the form layout.
    • Log out and log back in to ensure that the changes take effect.
      Note:
      Ensure that you have completed setup before removing the HR Administrator role.
      Minimum number of scoped admins required
      System properties determine the minimum number (default is two) of scoped admins that must be active for an application.
      To list the properties, enter sys_properties.list in the filter navigator and search for the property to configure.
      The list of system properties and what scoped admin can access:
      System properties
      Table 2. Properties
      Property Name Scoped Admin
      sn_hr_core.min_admin_count HR admin [sn_hr_core.admin]
      sn_hr_ef.min_admin_count Employee Document Management admin [sn_hr_ef.admin]
      sn_hr_integrations.min_admin_count HR Integration Admin [sn_hr_integrations.admin]
      sn_hr_le.min_admin_count HR Lifecycle Event Admin [sn_hr_le.admin]
      sn_hr_le_pa.admin_count HR Lifecycle Event Performance Analytics Admin [sn_hr_le_pa.admin]
      sn_hr_pa.min_admin_count HR Performance Analytics Admin [sn_hr_pa.admin]
      sn_hr_pj.min_admin_count HR Parental Journey Admin [sn_hr_le_pj.admin]
      sn_hr_sp.min_admin_count HR Service Portal Admin [sn_hr_sp.admin]
      sn_hr_va.min_admin_count HR Virtual Agent Admin [sn_hr_va.admin]
      sn_templated_snip.min_admin_count Response Template Admin [sn_templated_snip.admin]
      sn_hr_ws.min_admin_count HR Agent Workspace Admin [sn_hr_ws.admin]