The Scenario
The quarterly access certification is due next week. The IT compliance team needs a sheet showing every ServiceNow user's full list of roles — both directly granted and inherited through group membership. Someone exported 50 user sys_ids into column A of a Google Sheet two days ago and then went on PTO. The certification report is not going to write itself.
The bad version:
- Open ServiceNow, search for the first sys_id, open the user record, navigate to the Roles tab, read off every role, navigate to the Groups tab, expand each group to see which roles it contributes, make a list, paste it into the sheet.
- Repeat 49 more times.
- Spend 30 minutes at the end wondering whether the roles you captured for user 23 included the ones from the "ITIL" group or whether you missed that tab.
Access certification is not a manual process. It became a manual process because nobody automated it.
The Easy Way: One Prompt in SheetXAI
SheetXAI is an AI agent that lives inside your Google Sheet. It reads the sys_id column, queries each user's full role set — direct and inherited — from ServiceNow, and writes the results back into the sheet.
For each user sys_id in column A, retrieve the full list of granted and inherited roles from ServiceNow and write them as a comma-separated list in column B
What You Get
- Column B populated with a comma-separated role list for each user sys_id in column A
- Both directly granted roles and group-inherited roles included in each list
- Users with no roles receive an empty cell or "NO ROLES" in column B
- The full batch completes in one operation
What If the Data Is Not Quite Ready
You need direct and inherited roles in separate columns for the certification template
The certification tool imports the data differently depending on grant type.
For each sys_id in column A, retrieve the ServiceNow user's directly granted roles and write them in column B, and retrieve the inherited group roles separately and write them in column C
Some sys_ids in column A are from deprovisioned users who are no longer in ServiceNow
The list was exported before some terminations were processed.
For each sys_id in column A, look up the user in ServiceNow — if the user record is active, retrieve their full role list and write it in column B; if the record is inactive or not found, write "DEPROVISIONED" in column B
You want to flag any user who has the "admin" role, directly or through a group
High-privilege access needs special notation in the certification.
For each sys_id in column A, retrieve the full role list from ServiceNow and write it in column B, then add "ADMIN ROLE DETECTED" in column C for any user whose role list includes the admin role
Full kill chain: split by grant type, flag admin, filter inactive, and sort for the certifier
For each sys_id in column A, check if the ServiceNow user is active — flag inactive ones "DEPROVISIONED" in column D — then retrieve direct roles and write in column B, inherited roles in column C, flag any user with the admin role in column D as "ADMIN REVIEW REQUIRED," and sort the output so admin-flagged rows appear first
The certification deliverable is complete without a single manual role-lookup.
Try It
Get the 7-day free trial of SheetXAI and open the Google Sheet with your user sys_id list, then ask it to pull the full role inheritance data from ServiceNow for all 50 rows. For looking up user details first, see the bulk-lookup-users spoke or return to the ServiceNow hub.