Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

End the current users session via a flow

Moedeb
Tera Guru

yesterday

I have a catalog item that when submitted adds the user to a group in ServiceNow, that has a role associated to the group. 

What I need to do as part of the flow after the user is added to the group, is to end their current session so they need to reauthenticate and the new role can take effect.

 

In order to do this I created a custom flow action called "End user session" with an input of "user_sys_id"

This is the script I added:

(function execute(inputs, outputs) {

  if (!inputs.user_sys_id) {
    return;
  }

  // Get username from sys_id
  var u = new GlideRecord('sys_user');
  if (!u.get(inputs.user_sys_id)) {
    return;
  }

  // Force logout across nodes (all active sessions for this user)
  GlideSessions.lockOutSessionsInAllNodes(u.user_name.toString());

})(inputs, outputs);

 

I've added it to the flow and the user_sys_id is provided via a data pill from the requested_for field down to sys_id

 

It does not however appear to be working as I can see that the user is added to the group / role, however they still do not have the access when they navigate to what I need them to access. When I impersonate the same user after the flow has run I can see what they should be able to see but still can't.

So the access is working, but they don't appear to have gained a new session ID with the new role taking affect.

Is someone able to assist please?

0 Helpfuls
  • 270 Views
7 REPLIES 7

pr8172510
Giga Guru

yesterday

Hi,

Your approach is close, but the issue is that ending the session alone doesn’t always refresh roles immediately for the active user session.

 

  1. GlideSessions.lockOutSessionsInAllNodes() is correct, but:
    • It only invalidates the session
    • The user must perform a new request/login to get updated roles
  2. In practice, users may still appear logged in due to:
    • Browser session/caching
    • Sticky sessions/load balancer behavior
    • No immediate redirect to login page


After adding user to group:

  • End session (your script is fine)
  • Ask user to log out and log back in manually

Moedeb
Tera Guru
In response to pr8172510

3 hours ago

@pr8172510 thank you.

 

Is there a way to update the action script to actually simulate the user manually logging out?

We use SSO, so them logging back in is straightforward 

 

0 Helpfuls

pr8172510
Giga Guru
In response to Moedeb

2 hours ago

Hi,

You can keep your current script as it is  that part is correct.

Since ServiceNow doesn’t fully simulate a manual logout (especially with SSO), the simplest and recommended approach is to just inform the user after the flow completes.

 show a message like:
“Access updated. Please refresh or re-login to apply new roles.”

This ensures the user starts a new session and the updated roles take effect.

0 Helpfuls

vaishali231
Tera Guru

2 hours ago

Hey @Moedeb 

The behavior you’re experiencing is expected due to session caching and timing of role propagation in ServiceNow.
Even though the user is correctly added to the group and role, the active session continues to use cached role data, which is why the new access is not immediately reflected.
Approach
Option 1: Add delay + session termination
Do not rely only on session termination. You must ensure role propagation is completed before ending the session.
Step 1: Add delay in Flow
Add a Wait (2–5 seconds) after adding the user to the group
This allows group - role inheritance and cache update

Step 2: Use session kill + cache flush
Update your custom Flow Action script:

(function execute(inputs, outputs) {

if (!inputs.user_sys_id) {
return;
}
// Fetch user record
var userGR = new GlideRecord('sys_user');
if (!userGR.get(inputs.user_sys_id)) {
return;
}
var userName = userGR.user_name.toString();
// Ensure DB changes are committed before proceeding
gs.sleep(2000);
// Flush cache so new roles are picked up
gs.cacheFlush();

// Terminate all active sessions across nodes
GlideSessions.lockOutSessionsInAllNodes(userName);

})(inputs, outputs);

Option 2: User-driven logout (Better UX)
Instead of forcing logout silently:
Show message to user:
"Your access has been updated. Please log out and log back in."
Redirect user to logout:

window.location.href = "/logout.do";

This approach is more predictable and avoids browser/session inconsistencies.

Option 3: Avoid logout entirely
If your requirement allows, avoid session termination completely.

Use dynamic access checks instead of relying only on roles:

gs.getUser().isMemberOf('your_group')

***********************************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh