End the current users session via a flow

Go to solution
Moedeb
Tera Guru

3 weeks ago

I have a catalog item that when submitted adds the user to a group in ServiceNow, that has a role associated to the group. 

What I need to do as part of the flow after the user is added to the group, is to end their current session so they need to reauthenticate and the new role can take effect.

 

In order to do this I created a custom flow action called "End user session" with an input of "user_sys_id"

This is the script I added:

(function execute(inputs, outputs) {

  if (!inputs.user_sys_id) {
    return;
  }

  // Get username from sys_id
  var u = new GlideRecord('sys_user');
  if (!u.get(inputs.user_sys_id)) {
    return;
  }

  // Force logout across nodes (all active sessions for this user)
  GlideSessions.lockOutSessionsInAllNodes(u.user_name.toString());

})(inputs, outputs);

 

I've added it to the flow and the user_sys_id is provided via a data pill from the requested_for field down to sys_id

 

It does not however appear to be working as I can see that the user is added to the group / role, however they still do not have the access when they navigate to what I need them to access. When I impersonate the same user after the flow has run I can see what they should be able to see but still can't.

So the access is working, but they don't appear to have gained a new session ID with the new role taking affect.

Is someone able to assist please?

0 Helpfuls
  • 749 Views
1 ACCEPTED SOLUTION

Go to solution
vaishali231
Kilo Sage
In response to Moedeb

3 weeks ago

Hey @Moedeb 

The key clarification is:

Logout is only required if your access is role-based (gs.hasRole)

If you move to group-based access (gs.getUser().isMemberOf), then logout is NOT required

 

1. Do you actually need logout?

Option 3 (Preferred): Avoid logout completely

Instead of relying on roles, use group-based checks

Replace role checks like:

gs.hasRole('your_role')

With:

gs.getUser().isMemberOf('your_group_name')

 

Where to apply this

  • ACL scripts

  • Business rules / Script Includes

  • UI logic where applicable

 

Why this works better

  1. Group membership is evaluated dynamically

  2. No dependency on session refresh

  3. No forced logout required

  4. More stable and scalable design

 

If you must keep role-based access

Then logout is unavoidable

This is because:

ServiceNow caches roles in the user session

They are not re-evaluated during an active session

 

In your case

Your 10-second wait is already correct

Your session kill approach is also correct

However:

Behavior can still vary due to browser/session caching

Which is why logout + redirect is typically required for consistency

 

2. What is actually needed (if using roles)

To make it reliable, you need:

  1. Role assignment completed (your wait handles this)

  2. Cache refreshed

  3. Session terminated

  4. Client-side logout/redirect (critical piece)

 

3. Redirecting user to Dashboard after Catalog Submit

Important

Flow Designer cannot handle redirects (server-side only)

Redirect must be handled on the client side

 

Service Portal 

Simple approach

function onSubmit() {

 setTimeout(function() {

    window.location.href = "/sp?id=your_dashboard_page";

 }, 3000);

}

 

More controlled approach

function onSubmit() {

 sessionStorage.setItem('redirect_after_submit', 'true');

}

Then in a widget or page script:

if (sessionStorage.getItem('redirect_after_submit') === 'true') {

 sessionStorage.removeItem('redirect_after_submit');

 window.location.href = "/sp?id=your_dashboard_page";

}

Classic UI (if applicable)

window.location = "/your_dashboard.do";

Final Recommendation

If possible - move to group-based access (no logout needed)

If roles must be used - your current Flow + session handling is correct, but you must add client-side redirect/logout

Handle all redirects in client layer, not Flow Designer

********************************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh





View solution in original post

7 REPLIES 7

Go to solution
pr8172510
Tera Guru

3 weeks ago

Hi,

Your approach is close, but the issue is that ending the session alone doesn’t always refresh roles immediately for the active user session.

 

  1. GlideSessions.lockOutSessionsInAllNodes() is correct, but:
    • It only invalidates the session
    • The user must perform a new request/login to get updated roles
  2. In practice, users may still appear logged in due to:
    • Browser session/caching
    • Sticky sessions/load balancer behavior
    • No immediate redirect to login page


After adding user to group:

  • End session (your script is fine)
  • Ask user to log out and log back in manually

Go to solution
Moedeb
Tera Guru
In response to pr8172510

3 weeks ago

@pr8172510 thank you.

 

Is there a way to update the action script to actually simulate the user manually logging out?

We use SSO, so them logging back in is straightforward 

 

0 Helpfuls

Go to solution
pr8172510
Tera Guru
In response to Moedeb

3 weeks ago

Hi,

You can keep your current script as it is  that part is correct.

Since ServiceNow doesn’t fully simulate a manual logout (especially with SSO), the simplest and recommended approach is to just inform the user after the flow completes.

 show a message like:
“Access updated. Please refresh or re-login to apply new roles.”

This ensures the user starts a new session and the updated roles take effect.

0 Helpfuls

Go to solution
vaishali231
Kilo Sage

3 weeks ago

Hey @Moedeb 

The behavior you’re experiencing is expected due to session caching and timing of role propagation in ServiceNow.
Even though the user is correctly added to the group and role, the active session continues to use cached role data, which is why the new access is not immediately reflected.
Approach
Option 1: Add delay + session termination
Do not rely only on session termination. You must ensure role propagation is completed before ending the session.
Step 1: Add delay in Flow
Add a Wait (2–5 seconds) after adding the user to the group
This allows group - role inheritance and cache update

Step 2: Use session kill + cache flush
Update your custom Flow Action script:

(function execute(inputs, outputs) {

if (!inputs.user_sys_id) {
return;
}
// Fetch user record
var userGR = new GlideRecord('sys_user');
if (!userGR.get(inputs.user_sys_id)) {
return;
}
var userName = userGR.user_name.toString();
// Ensure DB changes are committed before proceeding
gs.sleep(2000);
// Flush cache so new roles are picked up
gs.cacheFlush();

// Terminate all active sessions across nodes
GlideSessions.lockOutSessionsInAllNodes(userName);

})(inputs, outputs);

Option 2: User-driven logout (Better UX)
Instead of forcing logout silently:
Show message to user:
"Your access has been updated. Please log out and log back in."
Redirect user to logout:

window.location.href = "/logout.do";

This approach is more predictable and avoids browser/session inconsistencies.

Option 3: Avoid logout entirely
If your requirement allows, avoid session termination completely.

Use dynamic access checks instead of relying only on roles:

gs.getUser().isMemberOf('your_group')

***********************************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh