Parent group roles not inherited - fix script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-10-2020 01:18 PM
We have identified an error with ServiceNow where the BR to populate parent roles to child groups does not always work. This is down to the script timing out after 296 seconds and the huge amount of groups we have. ServiceNow HI have extended the timeout. But we are still left with members of child groups that did not inherit some of the parent roles from before the fix was applied.
To fix this I'd like to run a script to check and fix all members of all groups with a parent to see if the parent roles were not inherited.
Here's my first attempt but the role.insert() fails. Can you help me fix it and improve my coding skills, please?
thx
var grGroupRoles = new GlideRecord('sys_group_has_role');
var insertCount = 0
var loopCount = 0
grGroupRoles.addEncodedQuery("granted_by!=NULL^inherits=true^group.nameISNOTEMPTY");
grGroupRoles.addEncodedQuery("group.active=true");
grGroupRoles.query();
while (grGroupRoles.next() && insertCount <1 ) { // with temporary counter to stop early
// grGroupRoles now have all groups and roles with a parent group to step through
// we now look for all group members in the above group without the above role
var grSUG = new GlideRecord('sys_user_grmember');
grSUG.addQuery('group', grGroupRoles.group);
grSUG.addQuery('user.roles', '!=', grGroupRoles.role);
grSUG.addEncodedQuery("group.active=true");
grSUG.setLimit(1); // temporary counter to stop early
grSUG.query();
while (grSUG.next() && insertCount <1 && loopCount <3) { // with temporary counter to stop early
//group member without parent role is now known so insert the role for that member
var newRole= new GlideRecord('sys_user_has_role');
newRole.initialize();
newRole.user = grSUG.user;
newRole.role = grGroupRoles.role;
newRole.inherited = grGroupRoles.inherits;
newRole.granted_by = grGroupRoles.granted_by;
if (newRole.insert()) {
gs.info('SUCCESS group: ' + grSUG.getDisplayValue('group') + ' user: ' + grSUG.getDisplayValue('user') + ' Added role: ' + grGroupRoles.getDisplayValue('role'));
insertCount ++
} else {
gs.info('FAILURE group: ' + grSUG.getDisplayValue('group') + ' user: ' + grSUG.getDisplayValue('user') + ' role failed: ' + grGroupRoles.getDisplayValue('role')); // this is the only output I'm getting
}
loopCount ++
}
}
- Labels:
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-10-2020 02:39 PM
The User (sys_user) table and its linked tables are considered "special" table in that rules fire on them regardless. For example if you were to run a script to insert a new group member with setWorkflow(false) meaning to not run business rules they would run anyway. I am surprised you have anomalies because of this. Have you queried to understand how big the impact is?
I have reviewed your script above and I am not really following it especially in terms of how this has anything to do with "parent" groups. The business rules that run against the role associations call a Script Include called RoleManager and I am thinking you may be better off running it versus the above though I am not sure if the roles may be duplicated for those users that may already have them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-12-2020 02:35 AM
Hi Michael,
The insert() part of my script was taken from the RoleManager script include. It's an interesting point about roles that may already exist, inherited from elsewhere - I'll look into that...
