ServiceNow Platform: Creating a custom Session Time out based on Roles

Michael Jones - · ‎06-01-2020

Have you ever wondered if you could set a specific session time out duration based on whether a user has a role? The user case would be, for example, wanting to allow users with no roles (end-users) the ability to stay logged for a long period of time, but wanting to make itil users time out after 15 minutes (to prevent exposure due to a walk-away).

Interesting question! There is no way out of the box but, with some effort, the answer is: Yes! You would set the system time out to be the duration you want for end-users and then use the process below to "boot" idle itil user.

The process I've outlined uses a scheduled job that you run at certain intervals and checks the v_user_session table for logged in users. It then checks to see when the last transaction occurred for that user using the syslog_transaction table. If the last transaction is older than your threshold, then - it gives the user the boot!

You would need to tweak the process to keep performance from being an issue, depending on how many logged in users you have on average. You could run this as a scheduled job every minute, or you could adjust the timeout check to something like 10 minutes and then run the scheduled job every 5 minutes, etc.

Note, this line:

httpSession.setAttribute("locked_out", "true");

This is the same as if you were on the logged in users list, opened a user and clicked the "lock out session" button. It does not lock the user out, (does not set locked to true) it just ends the session!

This example specifically excludes the admin user from the process (to prevent you from impacting the admin in a PDI) and only specifically logs off users with the itil role. You can add additional roles and update the time users can stay logged in by adjusting the script (follow the comments)

var matches = [];
var li_users = new GlideRecord('v_user_session');
li_users.addQuery('user!=admin');
li_users.query();
while(li_users.next()) {
	matches.push(li_users.getValue('user'));
}
//these are the users that matched the first pass


//Now lets see when the last transaction occurred
var matches2 = [];
var transactions = new GlideRecord('syslog_transaction');

for(a = 0; a < matches.length; a++) {
	transactions = new GlideRecord('syslog_transaction');
	transactions.addEncodedQuery('client_transaction=true^sys_created_onRELATIVEGE@minute@ago@15^sys_created_by=' + matches[a]); //adjust the timeout period here
	transactions.query();
	
	if(transactions.next()) {
		//this means the user has logged a transaction within the window so consider him active
	} else {
		//otherwise, we move on to round 3
		matches2.push(matches[a].toString());
	}
}


//Here you need to define your criteria for users and check to see if they match
//If they match, they are about to be logged off!
//My Example is if the user has the role "itil"

var giveTheBoot = [];
var getRoles = new GlideRecord('sys_user_has_role');

for(var i=0; i< matches2.length; i++) {
	gs.print('matches2='+ matches2[i]);
	getRoles = new GlideRecord('sys_user_has_role');
	getRoles.addQuery('user.user_name', matches2[i]);
	getRoles.addQuery('getRoles.role.name', 'itil'); //Define the role here for example
	//You can add additional roles with Or Conditions
        //getRoles.addOrCondition('getRoles.role.name', 'cmdb_read');
        getRoles.query();
	while(getRoles.next()) {
		if(getRoles.role.name.toString() === 'itil') {
			gs.print(getRoles.sys_id + i);
			giveTheBoot.push(matches2[i].toString());
		}
	}
	
}


var sessions = GlideSessions.get().getLoggedInSessionList();
var sessionList = sessions.iterator();
while(sessionList.hasNext()) {
	var session = sessionList.next();
	for(var b = 0; b < giveTheBoot.length; b++) {
		if (session.getUser() == giveTheBoot[b]) {
			gs.print(session.getUser() + ' / ' + giveTheBoot[b]);
			var httpSession = session.getHS();
			//I know how this looks, but it does NOT lock the user out - just ends the session!
			httpSession.setAttribute("locked_out", "true");
			
		}
	}
}

Create a scheduled job that executes at your desired interval with the code above and...there it is!

It's a niche requirement, but one I thought was worth documenting.

If you found this article helpful or useful, please be kind and click appropriately. If you found it really useful, you could always use the 3-dot menu to bookmark it for later!

Michael Jones - Proud member of the CloudPires team!

AkshatRastogi · ‎10-20-2022

Hi, but this does not work on all nodes, only the one in which you are logged in.

I was working on something similar and used the sys_user_session list to get all active users, and then GlideSessions.lockOutSessionsInAllNodes("username"); to lock them out.