GlideUser.hasRole() doesn't check inherited roles ?

JG6
Kilo Guru

‎10-21-2022 01:55 AM

Hello Community,

 

It looks like the hasRole() method of GlideUser only returns true when a user has the role directly assigned. Not when it is inherited by group membership.

 

Is that the correct behavior ? If so, what's the best practice to check also the inherited roles ?

 

THX

0 Helpfuls
  • 1,269 Views
3 REPLIES 3

Shamma Negi
Kilo Sage
Kilo Sage

‎10-21-2022 02:51 AM

I checked as I have ITIL role directly however user_criteria_admin role is inherited role. I am getting true for both role below. one is direct role and other is inherited role.

 

var isItil = g_user.hasRole('itil');

var userc = g_user.hasRole('user_criteria_admin');

 

Reponse : True

Regards,Shamma Negi

AnirudhKumar
Mega Sage
Mega Sage

‎10-21-2022 03:04 AM

That is strange.

The right behavior is both gs.hasRole() and g_user.hasRole() checks for directly assigned roles and inherited roles.

That is the reason gs.hasRole('<<any role>>') always returns true for user with admin, because admin role has every other role.

 

However, I propose an alternative. Query the User Roles table (sys_user_has_role).

Every role that the user was directly assigned or inherited would show up there.

JG6
Kilo Guru

‎10-24-2022 12:04 AM

I've found it. I don't know how it came to happen, but the inherited roles were not added to the users. I did what's described here https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0756472. When all the info messages filled the screen I knew it was fixed. 🙂

 

I was under the false impression group membership was checked each time it was checked whether a user has a role. Now it's clear only the generated role list is checked. And if that role list is out of date, then the role check will fail. The penny took a while to drop.

 

Bottom line: the .hasRole() method does include inherited roles. Provided they are added to the user.

 

thx for the replies