isMemberOf(): How do I use this when trying to find if any user, (i.e., NOT the user currently logged in), is a member of a specific group?

shawnclune · ‎03-22-2021

BACKGROUND:

A client is adding members to one (or all) of three (3) groups. If the user is a member of any of the groups, they are then considered a VIP user and the VIP "flag" on their user record should be set to "True".

Likewise, when a user is no longer a member of the three (3) groups, the VIP "flag" on their user record should be set to "False".

The client realizes that this should be done in AD and simply 'carried forward' into the LDAP import (transform) and set up that way, but for now, they are not utilizing any field in AD to consistently indicate a user as having VIP status.

SOLUTION:

I have created a simple FLOW using Flow Designer to accomplish the first half - setting the VIP "Flag" to true on a User's record when they are added to any one of the three (3) groups.

Trigger = Record created on the [sys_user_grmember] table.

Actions = Set the VIP field on the user's [sys_user] record to "True"

NOTE:

It just occurred to me that I have ONLY tested the FLOW when I manually add a user to one of the three VIP groups. I have NOT tested the FLOW after the LDAP import has run and pulled a user into one of the three VIP groups.

I could not figure out how to do the second part using Flow Designer ... and no-code.

I am struggling with the second part - setting the VIP "Flag" to false on the User's record when they have been removed from all three (3) of the groups.

RESEARCH/ATTEMPTS:

I have researched using 'isMemberOf()', but it appears that this will ONLY work for the user who is currently logged in.

Is that true?

I want to be able to do something like this (using text only):

Query all of the User Records where the VIP field = TRUE
Then (While), using the results of the query above, check to see if the user is a member of one of the three (3) groups

(here's where I think the script will start to fail if I use isMemberOf)

If the user is still a member of any one of the three (3) groups, do nothing
If the user is NOT a member of one of the three groups, set the VIP field for that user = FALSE.

Also, how should this be run?

As a Business Rule? If so, when?
As a Scheduled Job? If so, would you run it daily after the LDAP import runs?

Ultimately, I would like it to be part of the LDAP import.

Ultimately Ultimately (squared) ... I would like BOTH parts, (i.e., setting the VIP field to TRUE or FALSE to be part of one 'script').

Ultimately Ultimately Ultimately (cubed):

I would like this whole topic to be a new series for Chuck and Dave to talk about ... where one could examine concepts like:

Should we even attack the issue this way, (i.e., using isMemberOf or should we create a new role called something like "orgname_vip" and instead use the "hasRole" approach?), or
Should we create a new group type value called "VIP" and use that approach, or
Is there the opportunity to do something clever by creating a ScriptInclude?

Thoughts? Advice? Guidance?

Appli · ‎03-22-2021

Hi, may be you can use the logic in flow, please check in Staging environment.

Hope it helps

Assuming LDAP load is scheduled at 18:30, you can trigger a flow at 19:00

Step 5 - set VIP as false, Step 7 - Set VIP as true

How 7 looks like (just for the reference):

Hope it helps

View solution in original post

Mahesh Kumar3 · ‎03-22-2021

var group1 = 'sys id of group 1';
var group2 = 'sys id of group 2';
var group3 = 'sys id of group 3';

var queryString = "group="+group1+"^ORgroup="+group2+"^ORgroup="+group3;

var userId = 'sys_id or user'; // in your case fd_data.trigger.current.user;

var grMember = new GlideRecord('sys_user_grmember');
grMember.addQuery('user',userId);
grMember.addEncodedQuery(queryString);
grMember.query();
if(grMember.next()){
   return true;
}

Use this script to set value of VIP in flow designer

Hope it works for you.

shawnclune · ‎03-22-2021

Mahesh,

Thank you sir, but I already have a 'no-code' solution for a FLOW to set the VIP flag for a user.

Regards,

- Shawn

DrewW · ‎03-22-2021

So just a thought on another way you can go about this. The GlideUser has a getUerByID so you could do something like the following in a business rule on the sys_user_grmember table. It should run on insert and delete. Please note that getGlideRecord is not available in a scoped app so you will have to change that line and use a GlideRecord.get();

var row = current;
if(current.operation() == "delete")
   row = previous;
var myUserObject = gs.getUser()
myUserObject = myUserObject.getUserByID(row.getValue("user")); 
var user = row.user.getGlideRecord();
user.setValue("vip", (myUserObject.isMemberOf("GROUP1") || myUserObject.isMemberOf("GROUP2") || myUserObject.isMemberOf("GROUP3")));
user.update();

Ravi Peddineni · ‎03-22-2021

@shawnclune - You can actually check that while transforming the user data into the system using transform scripts. After transform script would just do fine for this.

If you want to keep the same functionality for manual updates also, then it comes under a core Business requirement and in this case Business Rule on sys_user_grmember is suggested solution.

If you want to go with the flow designer approach, you need to have two flows. One is for Record Created/Updated trigger and other one is for Record Deleted trigger. Both the flows will do the same action.

Look up the other sys_user_grmember records with specific VIP groups & current user.
If records found, next check should be if the user is VIP already. If yes, end the flow. Else, update the VIP status to true.
If no record found, next check should be if user is VIP. If yes, update the user record by making VIP status to false. Else, end the flow.