User hierarchy

  • Release version: Yokohama
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of User hierarchy

    The user hierarchy feature in ServiceNow enables managers to view records of users who report to them, enhancing visibility into team activities. It is based on the configuration in thesysusertable and specifically maintained for Governance, Risk, and Compliance (GRC) tables. For example, managers can see the work submitted by their direct and indirect reports, supporting hierarchical data access across roles such as sales managers, VPs, and CEOs.

    Show full answer Show less

    Enabling User Hierarchy Functionality

    GRC administrators can enable user hierarchy through specific properties in the GRC properties module:

    • Enable user hierarchy access control: Activates the user hierarchy feature (off by default).
    • Frequency of user hierarchy recalculation: Controls how often the hierarchy data is recalculated (default is weekly; can be changed to daily or monthly).
    • Maximum batch size for recalculation: Sets the number of records processed per batch during recalculation (default is 1000).

    These properties ensure accurate and timely synchronization of user hierarchy data.

    Supported Tables and Configuration

    The user hierarchy functionality relies on several key tables:

    • sngrchierarchy: Stores the hierarchical relationships between users.
    • sngrcuserhierarchy: Displays user names, managerial hierarchy, and last sync details. Access is restricted to users with the sngrc.userhierarchyreader role.
    • sngrcuserhierarchyconfiguration: Contains configuration records for each table where user hierarchy access control is enabled. GRC administrators can create, update, or delete these records; users with the sngrc.userhierarchyadmin role can read and update them.

    The User hierarchy configuration module appears only after enabling the user hierarchy properties and lists all tables with this functionality activated.

    Access Control and Customization

    Default Access Control Lists (ACLs) for user hierarchy are provided within the GRC application and stored in the syssecurityacl table. These ACLs include conditions to verify if user hierarchy access control is enabled. Customers can create custom ACLs to tailor access controls based on their organizational requirements.

    Practical Application for ServiceNow Customers

    By enabling and configuring user hierarchy, managers gain visibility into the records and activities of their direct and indirect reports, improving oversight and reporting capabilities within GRC processes. Administrators should carefully configure recalculation frequency and batch size to balance performance and data freshness. Furthermore, applying proper ACLs ensures secure access that aligns with organizational roles and policies.

    With a user hierarchy, your managers can see the records of those users who report to them.

    The user hierarchy is based on the configuration in the sys_user table. The user hierarchy is stored separately for the GRC tables.

    To understand how a user hierarchy works, let's look at the following example. Users Abel and Jack report to Adam. Adam reports to Daniel. With a user hierarchy, Adam can view the work performed by Abel and Jack. Similarly, Daniel can view the work performed by Adam, Abel, and Jack.

    Let's see another example of a manager and a user hierarchy.
    Figure 1. Manager and user hierarchy
    Managers and their users' hierarchy.

    In this example, the sales manager can see the data that the sales team has submitted. The VP of sales can see the data or reports that are submitted by the sales managers and the sales team.

    The VP of service can see the data that is submitted by the service managers and the support team. The CEO of the organization can see the work performed by both sales and service teams.

    Enabling the properties for the user hierarchy functionality

    As a GRC administrator, you can enable the following properties under the GRC properties module in an instance.
    Table 1. User hierarchy properties
    Property Action
    Enable user hierarchy access control

    Enable the user hierarchy functionality by selecting the Yes option on the Enable user hierarchy access control property. This property is turned off by default. After you enable this property, you can also turn it off again.
    Frequency of user hierarchy recalculation

    Use the Frequency of user hierarchy recalculation property to calculate the user hierarchy for all the records in the sn_grc_user_hierarchy_configuration table. The property is set to Weekly by default.

    To calculate the user hierarchy for the records at different intervals, select sn_grc.user_hierarchy_sync_frequency and change the schedule from Weekly to Daily or Monthly.
    Maximum batch size while recalculating hierarchy for user hierarchy records

    Use the Maximum batch size while recalculating hierarchy for user hierarchy records property to process the records in a maximum batch size so that you can recalculate the user hierarchy of the records. This property is set to 1000 by default.

    To recalculate the user hierarchy of the records, select the property and update the maximum batch size to an integer value.
    Note:
    After you enable the user hierarchy properties, the user hierarchy functionality is supported only in certain sets of tables. You can learn more about these tables in the next section.

    Tables that are used to support the user hierarchy functionality

    The following tables are used to support the user hierarchy functionality.
    Table 2. Tables that are used to support the user hierarchy functionality
    Table Description
    sn_grc_hierarchy Table that maintains the hierarchy of the users.
    sn_grc_user_hierarchy Table that displays the name of the user, the managerial hierarchy, and the last synchronized details. As a user with the sn_grc.user_hierarchy_reader role, you can read the records in this table. No other user can manually create, update, or delete the records in this table.
    sn_grc_user_hierarchy_configuration Table that contains a separate record for each table where the user hierarchy access control is enabled. As a GRC administrator, you can manually create and delete the records in this table. As a user with the sn_grc.user_hierarchy_admin role, you can also read or update the records in this table.

    User hierarchy configurations module

    The User hierarchy configuration module is displayed in your instance only after you enable the user hierarchy properties. The User hierarchy configuration module, which is shown in the following example, lists the tables on which you have enabled the user hierarchy functionality.

    Figure 2. User hierarchy configuration module
    User hierarchy configuration module.

    Access control lists (ACLs): By default, a few access control lists are shipped with the GRC application, and they are stored in the sys_security_acl table. You can define a filter condition to check if the user hierarchy access control is enabled. You can create your own access control lists depending on your configuration and requirements.

    For information on how to configure the user hierarchy access control on your custom tables, see KB1095957.
    Note:
    You must log in to Now Support to view the Knowledge Base articles.