What is a Role?
A Role is a named permission set. ACLs reference roles — if a user has the role, they pass the role check on the ACL. Examples: itil, admin, catalog_admin, knowledge_admin.
Roles are hierarchical — a role can include other roles. The admin role includes virtually every other role in the system.
What is a Group?
A Group is an organisational container for users. Groups are used for: assignment (assigning incidents to a team), approval routing (approval group on Change), CMDB ownership.
Groups can have roles — any user in a group inherits the group's roles.
The key difference
Roles control access (can a user do something?). Groups organise people (who should handle this?).
A user can have a role directly, or inherit it from group membership. ACLs only check roles — they never check groups directly.
Assigning roles
Three ways:
- Directly on the user record: User > Roles tab
- Via group membership: Group > Roles tab → user inherits when added to group
- Via role inheritance: Role A includes Role B → user with Role A automatically has Role B
The itil role
The most commonly granted role. Gives access to create, update, and view ITSM records (incidents, problems, changes). Most service desk agents have this role via group membership.
Checking roles in scripts
gs.hasRole('itil'); // Does current user have itil role?
gs.hasRole('itil,admin'); // Has either role?
gs.getUser().hasRole('itil'); // Same as gs.hasRole for current userGroup membership in scripts
// Check if a user is in a specific group
var gr = new GlideRecord('sys_user_grmember');
gr.addQuery('user', userId);
gr.addQuery('group.name', 'Network Team');
gr.query();
var inGroup = gr.next(); // true if user is in group