User hierarchy
Summarize
Summary of User hierarchy
The user hierarchy feature in ServiceNow allows managers to view records of their direct and indirect reports, facilitating oversight and management of team activities. It is based on the user relationships configured in thesysusertable and is separately maintained for GRC tables. For example, a manager can see the work performed by their direct reports and those further down the chain, such as a sales manager viewing their sales team’s data or a CEO seeing work across departments.
Show less
Enabling User Hierarchy
GRC administrators can enable user hierarchy functionality via properties in the GRC properties module. Key properties include:
- Enable user hierarchy access control: Turns on user hierarchy access; disabled by default.
- Frequency of user hierarchy recalculation: Controls how often the hierarchy is recalculated (default is weekly, configurable to daily or monthly).
- Maximum batch size while recalculating: Limits the number of records processed per batch during recalculation (default is 1000).
These settings ensure the user hierarchy is maintained accurately and efficiently.
Supporting Tables and Roles
The user hierarchy functionality relies on specific tables:
- sngrchierarchy: Stores user hierarchy data.
- sngrcuserhierarchy: Displays user names, managerial chains, and synchronization info. Accessible for reading by users with sngrc.userhierarchyreader role only; records cannot be manually modified.
- sngrcuserhierarchyconfiguration: Contains configuration records per table where hierarchy access is enabled. GRC admins with sngrc.userhierarchyadmin role can create, update, and delete these records.
User Hierarchy Configuration and Access Control
Once enabled, the User Hierarchy Configuration module becomes available, listing tables where user hierarchy is active. Access control lists (ACLs) shipped with GRC govern permissions and can be customized as needed to enforce hierarchy-based access. Administrators can also configure user hierarchy access control on custom tables to tailor visibility according to organizational needs.
Practical Application
By creating user hierarchy configuration records for tables, you enable managers to view records of their direct and indirect reports, improving transparency and operational oversight within your organization. This feature is particularly valuable in large teams and complex organizational structures where hierarchical visibility supports effective governance and decision-making.
With a user hierarchy, your managers can see the records of those users who report to them.
The user hierarchy is based on the configuration in the sys_user table. The user hierarchy is stored separately for the GRC tables.
To understand how a user hierarchy works, let's look at the following example. Users Abel and Jack report to Adam. Adam reports to Daniel. With a user hierarchy, Adam can view the work performed by Abel and Jack. Similarly, Daniel can view the work performed by Adam, Abel, and Jack.
In this example, the sales manager can see the data that the sales team has submitted. The VP of sales can see the data or reports that are submitted by the sales managers and the sales team.
The VP of service can see the data that is submitted by the service managers and the support team. The CEO of the organization can see the work performed by both sales and service teams.
Enabling the properties for the user hierarchy functionality
| Property | Action |
|---|---|
| Enable user hierarchy access control |
Enable the user hierarchy functionality by selecting the Yes option on the Enable user hierarchy access control property. This property is turned off by default. After you enable this property, you can also turn it off again. |
| Frequency of user hierarchy recalculation |
Use the Frequency of user hierarchy recalculation property to calculate the user hierarchy for all the records in the sn_grc_user_hierarchy_configuration table. The property is set to Weekly by default. To calculate the user hierarchy for the records at different intervals, select sn_grc.user_hierarchy_sync_frequency and change the schedule from Weekly to Daily or Monthly. |
| Maximum batch size while recalculating hierarchy for user hierarchy records |
Use the Maximum batch size while recalculating hierarchy for user hierarchy records property to process the records in a maximum batch size so that you can recalculate the user hierarchy of the records. This property is set to 1000 by default. To recalculate the user hierarchy of the records, select the property and update the maximum batch size to an integer value. |
Tables that are used to support the user hierarchy functionality
| Table | Description |
|---|---|
| sn_grc_hierarchy | Table that maintains the hierarchy of the users. |
| sn_grc_user_hierarchy | Table that displays the name of the user, the managerial hierarchy, and the last synchronized details. As a user with the sn_grc.user_hierarchy_reader role, you can read the records in this table. No other user can manually create, update, or delete the records in this table. |
| sn_grc_user_hierarchy_configuration | Table that contains a separate record for each table where the user hierarchy access control is enabled. As a GRC administrator, you can manually create and delete the records in this table. As a user with the sn_grc.user_hierarchy_admin role, you can also read or update the records in this table. |
User hierarchy configurations module
The User hierarchy configuration module is displayed in your instance only after you enable the user hierarchy properties. The User hierarchy configuration module, which is shown in the following example, lists the tables on which you have enabled the user hierarchy functionality.
Access control lists (ACLs): By default, a few access control lists are shipped with the GRC application, and they are stored in the sys_security_acl table. You can define a filter condition to check if the user hierarchy access control is enabled. You can create your own access control lists depending on your configuration and requirements.