Remove roles and groups on active status on user

NikolaTesla · ‎10-08-2024

Hello ServiceNow Community,

I’m looking for assistance with automating the removal of roles and groups for users who are no longer active, based on their user record (CostPoint Status). The process I want to implement is as follows:

The automation should check the user’s CostPoint Status field. If the status is 'Inactive' or blank, all roles and groups should be removed from the user’s record.
If the user's employee type is 'Service account,' 'Regular,' or 'Reg,' their roles and groups should remain unaffected, even if the CostPoint Status is 'Inactive.'
The scheduled job should run nightly.

I’m looking to implement this through a scheduled job in Flow Designer or using a script. Does anyone have experience setting up a similar automation or have advice on the best approach to achieve this?

Akshay03 · ‎10-08-2024

You can use following script to remove group when user is inactive, hoping you've added roles using the groups.
So once group is removed roles will be removed automatically.
Note : Change active to CostPoint Status backend name.

var userSysIdArr = [];
var grUser = new GlideRecord('sys_user');
grUser.addEncodedQuery('u_account_typeNOT INService account,Regular,Reg');
grUser.addQuery('active', false).or().addNullQuery('active');
grUser.query();
while (grUser.next()) {
    userSysIdArr.push(grUser.getValue('sys_id'));
}
gs.info('User sys_id array: ' + userSysIdArr);
var grGroupMember = new GlideRecord('sys_user_grmember');
for (var i = 0; i < userSysIdArr.length; i++) {
    grGroupMember.addQuery('user', userSysIdArr[i]);
    grGroupMember.query();
    while (grGroupMember.next()) {
        grGroupMember.deleteRecord(); 
        gs.info('Removed user with sys_id: ' + userSysIdArr[i] + ' from group: ' + grGroupMember.getValue('group'));
    }
}

View solution in original post

Sandeep Rajput · ‎10-08-2024

@NikolaTesla Here is the scheduled job script which you can use to remove the roles and groups from user based on requirements you outlined.

// Query for users with an inactive or blank CostPoint Status
var userGr = new GlideRecord('sys_user');
userGr.addEncodedQuery("u_costpoint_status=Inactive^ORu_costpoint_statusISNULL"); // Replace 'u_costpoint_status' with your actual field name
userGr.query();

while (userGr.next()) {
    // Check the employee type before proceeding
    var employeeType = userGr.u_employee_type.toString(); // Replace 'u_employee_type' with your field name
    if (employeeType == 'Service account' || employeeType == 'Regular' || employeeType == 'Reg') {
        continue; // Skip users with these employee types
    }

    // Remove all roles
    var roleGr = new GlideRecord('sys_user_has_role');
    roleGr.addQuery('user', userGr.sys_id);
    roleGr.query();
    while (roleGr.next()) {
        roleGr.deleteRecord(); // Delete each role
    }

    // Remove all group memberships
    var groupGr = new GlideRecord('sys_user_grmember');
    groupGr.addQuery('user', userGr.sys_id);
    groupGr.query();
    while (groupGr.next()) {
        groupGr.deleteRecord(); // Delete each group membership
    }
}

Please make sure to scheduled this schedule job in the midnight also check this script via a background script before creating the schedule job.

Hope this helps.

View solution in original post

Akshay03 · ‎10-08-2024

You can use following script to remove group when user is inactive, hoping you've added roles using the groups.
So once group is removed roles will be removed automatically.
Note : Change active to CostPoint Status backend name.

var userSysIdArr = [];
var grUser = new GlideRecord('sys_user');
grUser.addEncodedQuery('u_account_typeNOT INService account,Regular,Reg');
grUser.addQuery('active', false).or().addNullQuery('active');
grUser.query();
while (grUser.next()) {
    userSysIdArr.push(grUser.getValue('sys_id'));
}
gs.info('User sys_id array: ' + userSysIdArr);
var grGroupMember = new GlideRecord('sys_user_grmember');
for (var i = 0; i < userSysIdArr.length; i++) {
    grGroupMember.addQuery('user', userSysIdArr[i]);
    grGroupMember.query();
    while (grGroupMember.next()) {
        grGroupMember.deleteRecord(); 
        gs.info('Removed user with sys_id: ' + userSysIdArr[i] + ' from group: ' + grGroupMember.getValue('group'));
    }
}

NikolaTesla · ‎10-08-2024

Will do!!! thank you Akshay03

Sandeep Rajput · ‎10-08-2024

@NikolaTesla Here is the scheduled job script which you can use to remove the roles and groups from user based on requirements you outlined.

// Query for users with an inactive or blank CostPoint Status
var userGr = new GlideRecord('sys_user');
userGr.addEncodedQuery("u_costpoint_status=Inactive^ORu_costpoint_statusISNULL"); // Replace 'u_costpoint_status' with your actual field name
userGr.query();

while (userGr.next()) {
    // Check the employee type before proceeding
    var employeeType = userGr.u_employee_type.toString(); // Replace 'u_employee_type' with your field name
    if (employeeType == 'Service account' || employeeType == 'Regular' || employeeType == 'Reg') {
        continue; // Skip users with these employee types
    }

    // Remove all roles
    var roleGr = new GlideRecord('sys_user_has_role');
    roleGr.addQuery('user', userGr.sys_id);
    roleGr.query();
    while (roleGr.next()) {
        roleGr.deleteRecord(); // Delete each role
    }

    // Remove all group memberships
    var groupGr = new GlideRecord('sys_user_grmember');
    groupGr.addQuery('user', userGr.sys_id);
    groupGr.query();
    while (groupGr.next()) {
        groupGr.deleteRecord(); // Delete each group membership
    }
}

Please make sure to scheduled this schedule job in the midnight also check this script via a background script before creating the schedule job.

Hope this helps.

NikolaTesla · ‎10-08-2024

Thank you. Let me give me this a try. I appreciate everyone's help.