If last login is before 90 days all roles need to be removed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2023 02:43 AM
Hello Experts,
My requirement is if any user have not logged in for 90 days, but then there is no way for them to be able to request anything or raise an incident. I want to create a scheduled job so that all roles are removed except those roles snc_internal and approver user. They should NOT be lock-out or deactivated.
How to achieve this,
I have tested with this script.
var intCounter = 0;
var intRoleCounter = 0;
var dt = new GlideDate();
months = gs.getProperty('TSF.Months.To.Remove.User.Roles', 3) * -1;
dt.addMonths(months);
var grUser = new GlideRecord('sys_user');
grUser.addQuery('last_login', '<', dt).addOrCondition('last_login', '');
grUser.addQuery('sys_id','20fdd5eb1b23b4d0d77fedf2b24bcb59');//test with one user
grUser.addQuery('sys_created_on', '<', dt);
grUser.addQuery('web_service_access_only', false); //Skip interface accounts
grUser.query();
while (grUser.next()) {
var approver = checkApproverUser(grUser.sys_id);
if (approver == false) {
// Check exclude groups
if (checkExcludeGroups(grUser.sys_id + '')) {
continue;
}
// Check if user has any role beside snc_internal
if (checkRoles(grUser.sys_id + '')) {
continue;
}
// Do not remove anything from a user with admin role
if (checkAdmin(grUser.sys_id + '')) {
continue;
}
removeGroups(grUser.sys_id + '');
// all group member ships deleted check if there are any roles left
removeRoles(grUser.sys_id + '');
// now add a Metric so it traceable when this happened
createMetric(grUser);
intCounter++;
//grUser.active = false;
//line num 34 removed As a part of STRY0159512
grUser.update();
}
}
gs.log('Scheduled job ended: TSF: Remove all memberships and roles when not logged in for 3* months, roles from ' + intCounter + ' users removed, ' + intRoleCounter + ' roles removed where inherited was true, after deleting all group memberships.');
function checkApproverUser(grUser) {
var grAU = new GlideRecord('sys_user_has_role');
grAU.addQuery('user', grUser);
grAU.addQuery('role.name', 'approver_user');
grAU.query();
if (grAU.hasNext()) {
return true;
} else {
return false;
}
}
function checkRoles(grUser) {
var grUHR = new GlideRecord('sys_user_has_role');
grUHR.addQuery('user', grUser);
if (JSUtil.notNil(gs.getProperty('TSF.Snc_internal.Role.SysID'))) {
grUHR.addQuery('role', '!=', gs.getProperty('TSF.Snc_internal.Role.SysID'));
} else {
grUHR.addQuery('role.name', '!=', 'snc_internal');
}
grUHR.query();
if (grUHR.hasNext()) {
return false;
} else {
return true;
}
}
function checkAdmin(grUser) {
var grUHR = new GlideRecord('sys_user_has_role');
grUHR.addQuery('user', grUser);
if (JSUtil.notNil(gs.getProperty('TSF.Admin.Role.SysID'))) {
grUHR.addQuery('role', gs.getProperty('TSF.Admin.Role.SysID'));
} else {
grUHR.addQuery('role.name', 'admin');
}
grUHR.query();
if (grUHR.hasNext()) {
return true;
} else {
return false;
}
}
function checkExcludeGroups(grUser) {
var grGM = new GlideRecord('sys_user_grmember');
grGM.addQuery('user', grUser);
grGM.query();
while (grGM.next()) {
if ((gs.getProperty('TSF.Exclude.Groups.From.Remove.User.Roles').indexOf(grGM.group + '')) >= 0) {
return true;
}
}
return false;
}
function removeRoles(grUser) {
var grUHR = new GlideRecord('sys_user_has_role');
grUHR.addQuery('user', grUser);
// Do not remove the snc_internal role
if (JSUtil.notNil(gs.getProperty('TSF.Snc_internal.Role.SysID'))) {
grUHR.addQuery('role', '!=', gs.getProperty('TSF.Snc_internal.Role.SysID'));
} else {
grUHR.addQuery('role.name', '!=', 'snc_internal');
}
grUHR.query();
// DeleteMultiple does not work here because sometimes there are roles left from a groupmembership with inherited = true.
// Because of the installed plugin: Contextual Security: Role Management V2 it is no lomger possible to delete these, workaround is to set the inherited to false and then delete the record
while (grUHR.next()) {
if (grUHR.inherited == true) {
intRoleCounter++; //count this for logging
grUHR.inherited = false;
grUHR.update();
}
grUHR.deleteRecord();
}
}
function removeGroups(grUser) {
var grGM = new GlideRecord('sys_user_grmember');
grGM.addQuery('user', grUser);
grGM.query();
grGM.deleteMultiple();
}
function createMetric(grUser) {
var grDefinition = new GlideRecord('metric_definition');
grDefinition.addQuery('name', 'TSF: User revoked roles');
grDefinition.query();
if (grDefinition.next()) {
var mi = new MetricInstance(grDefinition, grUser);
var gr = mi.getNewRecord();
gr.start = new GlideDateTime();
gr.end = new GlideDateTime();
gr.value = 'Roles revoked';
gr.calculation_complete = true;
gr.duration = 0;
gr.insert();
}
}
Best Regards,
Raj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2023 06:25 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2023 06:50 AM
So have you written the script in business rule or some scheduled job?
Did you try to explore on flow designer where you might not have to use script?
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2023 07:42 AM
Hello @Ankur Bawiskar
Already scheduled job is running for snc_internal role but the new requirement is all roles need to be removed except snc_internal and approver user I need to add approver_user role as in the script.
How to add approver_user role as well in existing script....?
gs.log('Scheduled job started: TSF: Remove all memberships and roles when not logged in for 3* months');
var intCounter = 0;
var intRoleCounter = 0;
var dt = new GlideDate();
months = gs.getProperty('TSF.Months.To.Remove.User.Roles', 3) * -1;
dt.addMonths(months);
var grUser = new GlideRecord('sys_user');
grUser.addQuery('last_login', '<', dt).addOrCondition('last_login', '');
grUser.addQuery('sys_created_on','<',dt);
grUser.addQuery('web_service_access_only', false); //Skip interface accounts
grUser.query();
while (grUser.next()) {
// Check exclude groups
if (checkExcludeGroups(grUser.sys_id + '')) {
continue;
}
// Check if user has any role beside snc_internal
if (checkRoles(grUser.sys_id + '')) {
continue;
}
// Do not remove anything from a user with admin role
if (checkAdmin(grUser.sys_id + '')) {
continue;
}
removeGroups(grUser.sys_id + '');
// all group member ships deleted check if there are any roles left
removeRoles(grUser.sys_id + '');
// now add a Metric so it traceable when this happened
createMetric(grUser);
intCounter++;
}
gs.log('Scheduled job ended: TSF: Remove all memberships and roles when not logged in for 3* months, roles from ' + intCounter + ' users removed, ' + intRoleCounter + ' roles removed where inherited was true, after deleting all group memberships.');
function checkRoles(grUser) {
var grUHR = new GlideRecord('sys_user_has_role');
grUHR.addQuery('user', grUser);
if (JSUtil.notNil(gs.getProperty('TSF.Snc_internal.Role.SysID'))) {
grUHR.addQuery('role', '!=', gs.getProperty('TSF.Snc_internal.Role.SysID'));
} else {
grUHR.addQuery('role.name', '!=', 'snc_internal');
}
grUHR.query();
if (grUHR.hasNext()) {
return false;
} else {
return true;
}
}
function checkAdmin(grUser) {
var grUHR = new GlideRecord('sys_user_has_role');
grUHR.addQuery('user', grUser);
if (JSUtil.notNil(gs.getProperty('TSF.Admin.Role.SysID'))) {
grUHR.addQuery('role', gs.getProperty('TSF.Admin.Role.SysID'));
} else {
grUHR.addQuery('role.name', 'admin');
}
grUHR.query();
if (grUHR.hasNext()) {
return true;
} else {
return false;
}
}
function checkExcludeGroups(grUser) {
var grGM = new GlideRecord('sys_user_grmember');
grGM.addQuery('user', grUser);
grGM.query();
while (grGM.next()) {
if ((gs.getProperty('TSF.Exclude.Groups.From.Remove.User.Roles').indexOf(grGM.group + '')) >= 0) {
return true;
}
}
return false;
}
function removeRoles(grUser) {
var grUHR = new GlideRecord('sys_user_has_role');
grUHR.addQuery('user', grUser);
// Do not remove the snc_internal role
if (JSUtil.notNil(gs.getProperty('TSF.Snc_internal.Role.SysID'))) {
grUHR.addQuery('role', '!=', gs.getProperty('TSF.Snc_internal.Role.SysID'));
} else {
grUHR.addQuery('role.name', '!=', 'snc_internal');
}
grUHR.query();
// DeleteMultiple does not work here because sometimes there are roles left from a groupmembership with inherited = true.
// Because of the installed plugin: Contextual Security: Role Management V2 it is no lomger possible to delete these, workaround is to set the inherited to false and then delete the record
while (grUHR.next()) {
if (grUHR.inherited == true) {
intRoleCounter++; //count this for logging
grUHR.inherited = false;
grUHR.update();
}
grUHR.deleteRecord();
}
}
function removeGroups(grUser) {
var grGM = new GlideRecord('sys_user_grmember');
grGM.addQuery('user', grUser);
grGM.query();
grGM.deleteMultiple();
}
function createMetric(grUser) {
var grDefinition = new GlideRecord('metric_definition');
grDefinition.addQuery('name', 'TSF: User revoked roles');
grDefinition.query();
if (grDefinition.next()) {
var mi = new MetricInstance(grDefinition, grUser);
var gr = mi.getNewRecord();
gr.start = new GlideDateTime();
gr.end = new GlideDateTime();
gr.value = 'Roles revoked';
gr.calculation_complete = true;
gr.duration = 0;
gr.insert();
}
}
Best Regards,
Raj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2023 06:49 PM
can you share where did you add the extra logic and what debugging you did?
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
