Automating role and group removal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-21-2017 05:50 PM
Hello Team,
I have been working on this today based on a current manual task i undertake weekly which is tedious.
I have found lots of scripts that do similar things to what i need but not quite what i am after.
I would like to run a scheduled task to run weekly or business rule for a few scenarios.
1. to remove roles and group membership from an inactive user after 7 days.
This would include a note in a variable on the users record called 'u_notes' of the 'roles' that have been revoked.
2. to remove 'itil' role based on 90 days from last_logon_time with exception of specific users eg; our 'vip = true' users (our CEO or bookies).
3. Expired (or expiring) itil Licences for itil to fire off a notification ((TAB) ITIL Licence Expiry Reminder) 2 weeks before expiry and on expiry ((TAB) ITIL Licence Expiry).
The expiry email will be fired after the role has been removed.
Note: i don't want to delete the user record from within the group or roles, just remove them (keep the user record in tact).
Any help or guidance is greatly appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-21-2017 06:20 PM
Here is the raw script which i came up with , test this thoroughly before taking this to prod as this is a non-tested script
/// This script will take care of your first requirement.
var count=0;
var usr = new GlideRecord('sys_user');
usr.addEncodedQuery('last_login<javascript:gs.daysAgoStart(7)');
usr.query();
while(usr.next())
{
count = count+1;
usr.u_notes = '###### Add your comments which you want to update on user record after revoking access';
usr.setWorkflow(false); // This will make sure the BR's are not triggered
usr.update();
// Script to remove user from all the groups
var grp = new GlideRecord('sys_user_grmember');
grp.addQuery('user',usr.sys_id);
grp.deleteMultiple();
// script to remove all roles of this user
var role = new Gliderecord('sys_user_has_role');
role.addQuery('user',usr.sys_id);
role.deleteMultiple();
}
Please mark "Helpful' or "Answered" if this answers your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-21-2017 06:29 PM
Thanks Raghu
Quick one, would it be better if this went something around the the user being active instead of last logon, as some users may not log on for a couple of weeks due to leave?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-21-2017 06:31 PM
Usually session gets timeout and forces user to login after the session is timed out, This works even on SSO. If you have any other logic or requirement let me know with the context for better understanding.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-21-2017 06:47 PM
I dont think ours does have a time out enabled, so i thought that if i base this script on the users true/false flag then i could accurately remove the groups/roles without any headaches from still active users.
Also i would like to thank you for helping me out on this.
