End the current users session via a flow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
I have a catalog item that when submitted adds the user to a group in ServiceNow, that has a role associated to the group.
What I need to do as part of the flow after the user is added to the group, is to end their current session so they need to reauthenticate and the new role can take effect.
In order to do this I created a custom flow action called "End user session" with an input of "user_sys_id"
This is the script I added:
(function execute(inputs, outputs) {
if (!inputs.user_sys_id) {
return;
}
// Get username from sys_id
var u = new GlideRecord('sys_user');
if (!u.get(inputs.user_sys_id)) {
return;
}
// Force logout across nodes (all active sessions for this user)
GlideSessions.lockOutSessionsInAllNodes(u.user_name.toString());
})(inputs, outputs);
I've added it to the flow and the user_sys_id is provided via a data pill from the requested_for field down to sys_id
It does not however appear to be working as I can see that the user is added to the group / role, however they still do not have the access when they navigate to what I need them to access. When I impersonate the same user after the flow has run I can see what they should be able to see but still can't.
So the access is working, but they don't appear to have gained a new session ID with the new role taking affect.
Is someone able to assist please?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hi,
Your approach is close, but the issue is that ending the session alone doesn’t always refresh roles immediately for the active user session.
- GlideSessions.lockOutSessionsInAllNodes() is correct, but:
- It only invalidates the session
- The user must perform a new request/login to get updated roles
- In practice, users may still appear logged in due to:
- Browser session/caching
- Sticky sessions/load balancer behavior
- No immediate redirect to login page
After adding user to group:
- End session (your script is fine)
- Ask user to log out and log back in manually
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
@pr8172510 thank you.
Is there a way to update the action script to actually simulate the user manually logging out?
We use SSO, so them logging back in is straightforward
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
59m ago
Hi,
You can keep your current script as it is that part is correct.
Since ServiceNow doesn’t fully simulate a manual logout (especially with SSO), the simplest and recommended approach is to just inform the user after the flow completes.
show a message like:
“Access updated. Please refresh or re-login to apply new roles.”
This ensures the user starts a new session and the updated roles take effect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
Hey @Moedeb
The behavior you’re experiencing is expected due to session caching and timing of role propagation in ServiceNow.
Even though the user is correctly added to the group and role, the active session continues to use cached role data, which is why the new access is not immediately reflected.
Approach
Option 1: Add delay + session termination
Do not rely only on session termination. You must ensure role propagation is completed before ending the session.
Step 1: Add delay in Flow
Add a Wait (2–5 seconds) after adding the user to the group
This allows group - role inheritance and cache update
Step 2: Use session kill + cache flush
Update your custom Flow Action script:
(function execute(inputs, outputs) {
if (!inputs.user_sys_id) {
return;
}
// Fetch user record
var userGR = new GlideRecord('sys_user');
if (!userGR.get(inputs.user_sys_id)) {
return;
}
var userName = userGR.user_name.toString();
// Ensure DB changes are committed before proceeding
gs.sleep(2000);
// Flush cache so new roles are picked up
gs.cacheFlush();
// Terminate all active sessions across nodes
GlideSessions.lockOutSessionsInAllNodes(userName);
})(inputs, outputs);Option 2: User-driven logout (Better UX)
Instead of forcing logout silently:
Show message to user:
"Your access has been updated. Please log out and log back in."
Redirect user to logout:
window.location.href = "/logout.do";This approach is more predictable and avoids browser/session inconsistencies.
Option 3: Avoid logout entirely
If your requirement allows, avoid session termination completely.
Use dynamic access checks instead of relying only on roles:
gs.getUser().isMemberOf('your_group')***********************************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh
