Make Locked User Accounts Available from Service Catalog

fcaruso123
Tera Expert

We have a catalog item to allow equipment to be returned after an employee has left the company. Selecting the employee (from sys_user) brings up a list of assets assigned to that user. This all works great, except for when the employee being offboarded is marked locked on their user record (sys_user). There is a business rule "user query" that prevents locked accounts from being viewed by role admin and user_admin. Easy enough to remove the restriction but then any menu referencing user records will show the locked users: Ex: assigned to on incident, change, sc_task, ritm. (as well as other places). We don't remove group membership when a user offboards.

 

Any thoughts on how else this might be achieved?

 

Thank you

3 REPLIES 3

Chaitanya ILCR
Kilo Patron

Hi @fcaruso123 ,

I have tried this approach

 

try this and let me know 

 

1.store session client data on for the logged in user on the load of the catalog item

 

create a client callable script include 

var testQueryonBR = Class.create();
testQueryonBR.prototype = Object.extendsObject(AbstractAjaxProcessor, {

    putClientDataForCatalog: function() {
        gs.getSession().putClientData('allowToViewLockedUsers', this.getParameter('sysparm_allow'));
		return gs.getSession().getClientData('allowToViewLockedUsers');
    },
    getClientData: function() {
        return gs.getSession().getClientData('allowToViewLockedUsers');
    },

    type: 'testQueryonBR'
});

 

and an onload client script to put client data which allows them to see the inactive users

function onLoad() {
    //Type appropriate comment here, and begin script below

    var k = new GlideAjax('testQueryonBR')
    k.addParam('sysparm_name', 'putClientDataForCatalog');
    k.addParam('sysparm_allow', 'true')
    k.getXMLAnswer();

}

and an onsubmit client script to hide inactive users

function onSubmit() {
    var k = new GlideAjax('testQueryonBR')
    k.addParam('sysparm_name', 'putClientDataForCatalog');
    k.addParam('sysparm_allow', null)
    k.getXMLAnswer();

}

 

and update the BR script with

if (!gs.getSession().getClientData('allowToViewLockedUsers'))
    current.addActiveQuery();

ChaitanyaILCR_0-1745338457272.png

 

the only issue I can see with this approach is 

user opens the catalog form and doesn't submit 

in this scenario the user can view the in active user until they end their session(log out)

 

 

OR

 

put an or condition in the BR to allow any other roled to users to see the inactive users

 

 

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Ian Mildon
Tera Guru

I actually built out something similar for our HR team so that inactive profiles can be selected on certain HR Catalog Items.

 

The key to this is that you will need to add a new custom field to the "sys_user" table for something like "u_show_inactive" and then pre-populate this on all records. Then on the catalog item in the reference field that points to "sys_user" you would add a simple filter of 

 

"active = true" OR "u_show_inactive=true"

 

This should then allow you to see/select these profiles even though they are actually inactive.

 

Now if you are wanting to do any additional data queries, you will need to do further scripting based on a client script and script include as server-side scripting can get around the business rule restriction. Or in some circumstances it's possible to use a "reverse" query to get around the business rule such as in this line of syntax:

 

if (grUser.next() && !grUser.active)

Appreciate the responses. Decided to go a different direction. Since there is currently only one catalog item that needs access to inactive user records, I wrote a script include which performs a gliderecord search of sys_user with the ignore business rule option. User enters the unique ID of employee and an Ajax call returns the attributes necessary to process the request.