How can i assign a specific role to a newly created user by ldap import

PriyanshuVerma1 · ‎11-22-2023

There is a transform map in servicenow "LDAP USERS" which creates new user or update user in user table. This transform map runs every few minutes in servicenow. There are few transform scripts attached to this transform map.

I was thinking to use onComplete() transform script to add the role to user created via transform map.

But i was also thinking to use a business rule that triggers after an insert action on sys_user table.

This is the business logic :

(function executeRule(current, previous /*null when async*/) {
    // Check if the record was created or updated by the LDAP import, so when user is created via ldap transfrom map they have some value in source field starting with ldap
    if (current.sourceSTARTSWITHldap) { 
        // Assign the desired role to the user
        var roleName = 'demo_role'; 
        current.addRole(roleName);
        
    }
})(current, previous);

I would like to have everyone's view on which is the efficient approach performance wise as the ldap transform runs every few minutes.

Tai Vu · ‎11-28-2023

Hi @PriyanshuVerma1

Oops! Feel free to choose any of those. 😋 I just provided you with various approaches.

Cheers,

Tai Vu

View solution in original post

Tai Vu · ‎11-22-2023

Hi @PriyanshuVerma1

At the line where you're inserting a new user in your transform map, you can check if the insertion is successful and then proceed to grant the role to that user.

If you're opting for a Business Rule, ensure that the rule is triggered only when the user is created from the LDAP data source.

Cheers,

Tai Vu

PriyanshuVerma1 · ‎11-23-2023

Hey,

Can you tell me how to check when transform is inserting new user. It just uses coalesce field to do this thing I believe, no code used

Tai Vu · ‎11-23-2023

Hi @PriyanshuVerma1

Okay. There you go.!

Before you begin: Try to avoid granting a role directly to users. Consider to add the role to a specific group and add users to that group to inherit the role.

#onAfter Script

(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {

    if (action == "insert") {
        var grMember = new GlideRecord('sys_user_grmember');
        grMember.initialize();
		grMember.user = target.sys_id;
		grMember.group = '1f6fdc48473a71d0ab9bb6bf016d43b8'; //replace your group sys_id
		grMember.insert();
    }

})(source, map, log, target);

#onComplete

(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {

    var user_ids = [];
    var grImportSet = new GlideRecord('sys_import_set_row');
    grImportSet.addQuery('sys_import_set', source.sys_import_set);
    grImportSet.addQuery('sys_import_state', 'inserted');
    grImportSet.addNotNullQuery('sys_target_sys_id');
    grImportSet.query();
    while (grImportSet.next()) {
        user_ids.push(grImportSet.getValue('sys_target_sys_id'));
    }

    for (var i in user_ids) {
        var grMember = new GlideRecord('sys_user_grmember');
        grMember.initialize();
        grMember.user = user_ids[i];
        grMember.group = '1f6fdc48473a71d0ab9bb6bf016d43b8'; //replace your group sys_id
        grMember.insert();
    }

})(source, map, log, target);

Let me know if it works for you.

Cheers,

Tai Vu

PriyanshuVerma1 · ‎11-28-2023

Hello @Tai Vu ,

Sorry for responding late.

I have a doubt with the approach you gave.

Why we are using onAfter and onComplete both. In your onAfter script you are checking if the transform did a "Insert" action and if it does, take the sys_id of user inserted and add the user to the group we created for assigning role.

Then why do we need the onComplete script to do the same work again.

Thnakyou