Refresh user's Roles without logging out

Andrew Albury-D
Mega Guru

‎05-24-2021 10:38 PM

Hey everyone,

I'm looking at building an "Elevate to Admin" tool which will let our developers have a single account, without being granted Admin until they need it in Production. I've found some mentions online for a "GlideSecurityManager" API which is "undocumented" but in theory, should do what I need. (found here: https://snprotips.com/undocumented-servicenow-apis)

I am creating a "sys_user_has_role" record for a user, with the role of Admin, and would love to let them not have to log out and back in to apply these changes.

Does anyone know exactly how to use the GlideSecurityManager API? I've tried a few ways - Background script, BR on sys_user_has_role, Flow Designer Action, and none seem to work. e.g.

find_real_file.png

Any help is appreciated,

Thanks,
Andrew

Labels:
Preview file
41 KB
0 Helpfuls
  • 3,072 Views
10 REPLIES 10

Aishwarya Theva
Tera Guru
In response to Aishwarya Theva

‎07-03-2021 01:18 AM

Hi Andrew,

Did the above comments work for you?

 

Thanks

Aishwarya

 

0 Helpfuls

-O-
Kilo Patron
Kilo Patron

‎07-03-2021 05:13 AM

I'm not sure if it is in line with what you are trying to do, but according to your example you are trying to work with the current user, so maybe

var gsm =  GlideSecurityManager.get();
gsm.enableElevatedRole('< role needing elevation >');

will enable you to achieve your goal?

If I run the script in Scripts - Background, with security_admin as parameter, the role is "turned on". I am able to edit ACLs (without using the profile menu item).

0 Helpfuls

Asadullah Khaja
ServiceNow Employee
ServiceNow Employee

‎04-25-2024 06:25 AM

Hey Andrew,
had a similar use case and got to know that getUserByID() returns an object of GlideUser type which can be used to refresh the session of that loaded user. Attaching a screenshot of the same if that helps.
Thanks!

AsadullahKhaja_0-1714051507350.png

 

0 Helpfuls

JJ21
Tera Contributor

‎06-06-2024 01:25 AM

Hi Andrew, appreciate you may well have resolved/moved on with this, but i've recently built something similar to grant admin privileges temporarily.   The problem has always been elevating privileges in a script to then add the role.  The below is how I have got it working in a script action within flow;

//elevate the role
var GSM = new GlideSecurityManager.get();
GSM.enableElevatedRole('security_admin');
 
//and then add the required user to the desired group 
var addGroup = new GlideRecord('sys_user_grmember');
addGroup.initialize();
addGroup.user = <sysid of user>;
addGroup.group = <sysid of group>;
addGroup.insert();
 
the one issue with the above is it requires the user to logout and back in to pick up the new roles.  I've been experimenting with GSM.setUser(user object) but it doesn't seem to behave as I expected.  I may just force disconnect the users session to ensure they log back in to collect their shiny new roles 🙂 
 

 

0 Helpfuls

-O-
Kilo Patron
Kilo Patron
In response to JJ21

‎06-07-2024 02:01 AM

Do you make sure that the job that assigns roles of the group to the user is finished by the time you try to reset the session?
That is an asynchronous job and if you run your reset code before that (highly likely), the session will in fact be reset, but the new roles are not yet created by then.

0 Helpfuls