Manage HR roles

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage HR roles

    The Manage HR roles guide explains how roles in the HR Service Delivery Scoped app control access to HR features and data within ServiceNow. Scoped HR roles restrict access to HR cases, profiles, and services so that only authorized HR staff and clients (employees, contractors, alumni, etc.) can view or modify sensitive HR information. This helps maintain data security and compliance within your HR application.

    Show full answer Show less

    Only users with the HR Administrator role (snhrcore.admin) can assign HR roles, and this role is initially contained within the System Administrator (admin) role. To protect sensitive HR data, it is recommended to remove the HR Administrator role from System Administrators after system configuration is complete.

    Key Features

    • Role-Based Access Control: Scoped roles define precise permissions for HR case workers, clients, and administrators, ensuring proper data protection.
    • HR Administrator Role: Grants comprehensive access to configure HR settings, assign roles, manage HR cases and profiles, and view HR dashboards and reports.
    • Delegated Developer Role: When combined with HR Administrator, enables HR admins to manage application objects, customize workflows, and modify HR-related application components.
    • Performance Analytics: Assign the Performance Analytics Administrator (paadmin) role to HR Administrators for managing HR dashboards, with role assignment restricted to System Administrators.
    • Scheduled Jobs: Scheduled HR jobs require a user with the HR Admin role to run; System Administrators can view/run these jobs on demand but should have HR roles removed post-setup.
    • Minimum Scoped Admins: System properties define the minimum number of scoped admins required per HR application component to ensure continuity and security.
    • HR Groups and Skills: Manage HR groups by job skills to facilitate proper assignment of HR cases and tasks, with escalation rules based on skills.
    • Client Roles: Control employee access to HR services based on licensing, location, or group membership to tailor service delivery.

    Practical Guidance for ServiceNow Customers

    • Log in as a System Administrator to configure HR roles initially, then assign and manage HR roles through the HR Administrator role.
    • After setup, remove the HR Administrator role from System Administrators to prevent unauthorized access to sensitive HR data.
    • Add the Delegated Developer role to HR Administrators if they need to perform application development or configuration tasks.
    • Ensure scheduled HR jobs run under a user with the HR Admin role to maintain operational integrity.
    • Use HR groups and skills management to automate case and task assignments effectively.
    • Leverage client roles to control who can access HR functionality, helping meet organizational and compliance needs.

    Roles control access to features and capabilities in modules in the HR application.

    The HR Service Delivery Scoped app can help prevent users outside of the HR organization from accessing HR data.

    Scoped roles for both HR case workers and HR clients (employees, contractors, alumni, and others) grant access to HR services. Users without an HR scoped role typically cannot view HR cases or HR profile information. For information on all the roles installed with Case and Knowledge Management plugin, see Components installed with Case and Knowledge Management.

    Only the HR Administrator [sn_hr_core.admin] can assign scoped HR roles.

    To configure your system, you must log in as a System Administrator [admin]. The HR Administrator [sn_hr_core.admin] role is contained in the System Administrator [admin] role. The combination of these two roles allows a user to perform all tasks associated with configuring your system.

    After system configuration, ensure that only the HR Administrator [sn_hr_core.admin] role has access to sensitive information. Remove the HR Administrator role from System Administrator [admin] role to help prevent the System Administrator from viewing sensitive HR information.

    After granting access to a role, all the groups or users assigned to the role also have access. Roles can contain other roles, and grants access to any role that contains it.
    Note:
    IT System Administrators (admin) can still impersonate ServiceNow users. When impersonating a user with a scoped HR role, an admin cannot access features granted by that role unless the admin already possesses those roles. For more information on impersonating a user, see Impersonate a user.

    HR Performance Analytics

    To configure the Performance Analytics (PA) dashboard, assign the Performance Analytics Administrator [pa_admin] role to the HR Administrator [sn_hr_core.admin] role.
    Note:
    Only the System Administrator [admin] can assign PA roles to employees.
    Table 1. Roles
    Role Description
    System Administrator [admin] Also known as admin and IT admin.

    Within the global scope of the application, has access to all system features, functions, and data, regardless of security constraints.

    • Grant users with the delegated developer role [delegated_developer].
    • Build export sets, move content between instances (development to production), and clone instances.
    • Run guided setup or modules to manage:

      Company-wide objects like user, departments, and locations.
    HR Administrator [sn_hr_core.admin]
    This role can:
    • Assign users any of the HR roles.
    • View and access the HR Service Portal.
    • View, create, and edit HR cases in HR Case Management.
    • Access and create HR tasks inside an HR case using the Add Task related link.
    • View, create, and edit HR profiles including sensitive information like salary.
    • Create HR profiles and generate for multiple users through custom criteria.
    • Associate any user to HR roles, groups, and skills.
    • View and access HR Administration.
    • View and access HR Dashboards & Reports.
    • Run Application View to manage:
      HR objects like HR roles and profiles.
      Note:
      When the Human Resources Scoped App: Core (com.sn_hr_core) and Lifecycle Events (com.sn_hr_lifecycle_events) plugins are active, the Lifecycle Admin (sn_hr_le.admin) role is part of HR Admin (sn_hr_core.admin).
    Delegated Developer [delegated_developer] When added to the HR Administrator role, can:
    • Access, and manage HR objects like HR profile, cases, groups, roles, service catalog objects, and Service Portal.
    • Modify HR application-related objects like skills, Knowledge Base, chat, notifications, surveys, reports, integrations, and SC.
    • Modify application structures like tables, business rules, and client-side validation,
    User with HR role There are specific HR roles that allow users access to specific areas of the system. For example, the HR profile reviewer [sn_hr_core.profile_reader] role can read profiles, but not edit them.

    After system configuration, to help prevent the System Administrator from accessing sensitive information:

    • Remove the HR Administrator [sn_hr_core.admin] role from System Administrator [admin].
      • The base system requires a user with the System Administrator role to run scheduled jobs. For details on HR scheduled jobs, see Components installed with Case and Knowledge Management.
      • To ensure the scheduled jobs run, change the user in the Run as field for each scheduled job to a user that has the HR admin role.
        Note:
        Changing the user allows the scheduled jobs to run, but only a user with the System Admin role can view and run a scheduled job on demand.
      • Change the scope of the application to Human Resources: Core application. For information on changing the scope, see Contextual development edit messages.
      • Reveal the Run as field. For information on revealing hidden fields on a form, see Configuring the form layout.
    • Log out and log back in to ensure that the changes take effect.
      Note:
      Ensure that you have completed setup before removing the HR Administrator role.
      Minimum number of scoped admins required
      System properties determine the minimum number (default is two) of scoped admins that must be active for an application.
      To list the properties, enter sys_properties.list in the filter navigator and search for the property to configure.
      The list of system properties and what scoped admin can access:
      System properties
      Table 2. Properties
      Property Name Scoped Admin
      sn_hr_core.min_admin_count HR admin [sn_hr_core.admin]
      sn_hr_ef.min_admin_count Employee Document Management admin [sn_hr_ef.admin]
      sn_hr_integrations.min_admin_count HR Integration Admin [sn_hr_integrations.admin]
      sn_hr_le.min_admin_count HR Lifecycle Event Admin [sn_hr_le.admin]
      sn_hr_le_pa.admin_count HR Lifecycle Event Performance Analytics Admin [sn_hr_le_pa.admin]
      sn_hr_pa.min_admin_count HR Performance Analytics Admin [sn_hr_pa.admin]
      sn_hr_pj.min_admin_count HR Parental Journey Admin [sn_hr_le_pj.admin]
      sn_hr_sp.min_admin_count HR Service Portal Admin [sn_hr_sp.admin]
      sn_hr_va.min_admin_count HR Virtual Agent Admin [sn_hr_va.admin]
      sn_templated_snip.min_admin_count Response Template Admin [sn_templated_snip.admin]
      sn_hr_ws.min_admin_count HR Agent Workspace Admin [sn_hr_ws.admin]