Granting approver_user role

pathat · ‎06-15-2015

Hello.

I have a system where users are being provisioned an account in ServiceNow (via the API) and I would like to give any new user that is a manager the approver_user role so that he can approve a request made by a user for whom is the manager. I have an approval workflow that adds the requesting user's manager to the list of approvers. How can I automate this upon user creation?

pathat · ‎06-23-2015

Hi.

I am not using an LDAP import to import new users: a user is provisioned from an external system using the API.

I think I can use the script you provided in a business rule attached to the sys_user table, which will be triggered on an insert or update of a user. I want to make sure I understand the script you provided:

1. It queries the sys_user_has_role table and retrieves the record for the manager of the user (which I assume is what the target object is?) to be inserted/updated;

2. If this record (the user's manager) already has the approval_user role, the rule is ignored;

3. However if the record does not have the approval_user role, it is added to the record

Did I get it right?

PS. Why does the syntax for adding the role say setDisplayValue? I find it a bit odd syntax for adding a role...

****************

UPDATE:

Thx for everybody's help. I developed and tested the following script which does the job:

// This function will be automatically called when this rule is processed.

function onAfter(current, previous) {

var roleName = 'approver_user';

try {

gs.addInfoMessage("DMSSP rule: executing my new rule");

// Check if manager field is filled

if (current.manager == '' || current.manager == null || typeof(current.manager) == undefined) {

gs.addInfoMessage("DMSSP rule: this user does not have a manager so exit the rule");

return;

}

gs.addInfoMessage("DMSSP rule: current.manager ID = " + current.manager);

var ourUser = gs.getUser();

ourUser = ourUser.getUserByID(current.manager);

gs.addInfoMessage("DMSSP rule: First Name = " + ourUser.getFirstName());

gs.addInfoMessage("DMSSP rule: Last Name = " + ourUser.getLastName());

gs.addInfoMessage("DMSSP rule: Display Name = " + ourUser.getDisplayName());

var role = new GlideRecord('sys_user_has_role');

role.addQuery('user', current.manager);

role.addQuery('role.name', roleName);

role.query();

if (role.next()) {

ignore='true';

gs.addInfoMessage("DMSSP rule: Manager already has the role, so ignore the rule!");

}

else {

gs.addInfoMessage("DMSSP rule: Manager does not have the role, so assign it now!");

role.initialize();

role.user = current.manager;

role.setDisplayValue('role', roleName);

role.insert();

}

} catch(ex) {

gs.addInfoMessage("DMSSP rule: Error in script: " + ex);

}

View solution in original post

Michael Ritchie · ‎06-15-2015

Tthis should be pretty straight forward, you just need some data point to know when an imported user is a manager. The following thread should give you an example how to accomplish it:

Auto Add Users To Role on LDAP Import

bernyalvarado · ‎06-15-2015

Hi Pat, one way of doing this could be by an insert/update business rule on the sys_user table that whenever a user is added as the manager of another one the assigned manager is granted the approver_user role.

Thanks,

Berny

pathat · ‎06-23-2015

Thank you Benny! This looks like a good way to go. Can you provide more details on how exactly I go about creating this business rule? I'm new to this but will be reading up on how to do this in the Wiki.

venkat2 · ‎06-23-2015

Hi

Use a onComplete transform script in the LDAP transform map for Managers

var grmem = new GlideRecord('sys_user_has_role');

grmem.addQuery('user',target.manager);

grmem.addQuery('role.name','approval_user');

grmem.query();

if(grmem.next())

{

ignore='true';

}

else

{

grmem.initialize();

grmem.user = target.manager;

grmem.setDisplayValue('role','approval_user');

grmem.insert();

}

This will make sure to add the role for the newly created manager accounts.