Removing servicenow groups and roles via flow designer

AoifeS · ‎10-11-2024

I'm working on a flow to remove users from all ServiceNow groups and roles they belong to.

I've attached the flow steps for your reference. While it successfully removes the groups, I'm encountering an unknown error during the delete record step for roles, which halts the rest of the flow.

Is there a better way to do this?

sadif_raja · ‎10-11-2024

@AoifeS

Better Approach Using Script (Alternative Solution):

Instead of relying purely on Flow Designer for the "delete record" step, a scripted approach may offer more control and allow handling of errors or edge cases more gracefully.

Here’s a script example that could be used in a Flow or Script Action to remove all roles and group memberships for a user:

Example Script to Remove Roles and Group Memberships

javascript&colon;

Explanation:

The script first queries all group memberships (sys_user_grmember) and roles (sys_user_has_role) associated with the user.
Then it loops through each record and deletes them.

Using Flow Designer with Script Step:

You can use a "Script Step" in Flow Designer instead of a "Delete Record" action, allowing you to execute the script to remove the groups and roles.
Add a script step after your group removal step to handle the role deletion, like the one mentioned above.

Additional Enhancements:

Error Logging: Add error logging inside the script to capture which role or group deletions fail and why. For example:
javascript&colon;
if (!roleDeleteRecord.deleteRecord()) { gs.error('Failed to delete role ' + userRole.sys_id + ' for user: ' + userSysId); }
Batch Processing: If users have many roles or groups, consider adding batching logic to avoid timeout issues when dealing with large datasets.

This script-based solution might give you more flexibility and ensure that both group and role removals happen smoothly without the errors you've encountered.

Thumbs up if it works for you.

View solution in original post

sadif_raja · ‎10-11-2024

@AoifeS

Better Approach Using Script (Alternative Solution):

Instead of relying purely on Flow Designer for the "delete record" step, a scripted approach may offer more control and allow handling of errors or edge cases more gracefully.

Here’s a script example that could be used in a Flow or Script Action to remove all roles and group memberships for a user:

Example Script to Remove Roles and Group Memberships

javascript&colon;

Explanation:

The script first queries all group memberships (sys_user_grmember) and roles (sys_user_has_role) associated with the user.
Then it loops through each record and deletes them.

Using Flow Designer with Script Step:

You can use a "Script Step" in Flow Designer instead of a "Delete Record" action, allowing you to execute the script to remove the groups and roles.
Add a script step after your group removal step to handle the role deletion, like the one mentioned above.

Additional Enhancements:

Error Logging: Add error logging inside the script to capture which role or group deletions fail and why. For example:
javascript&colon;
if (!roleDeleteRecord.deleteRecord()) { gs.error('Failed to delete role ' + userRole.sys_id + ' for user: ' + userSysId); }
Batch Processing: If users have many roles or groups, consider adding batching logic to avoid timeout issues when dealing with large datasets.

This script-based solution might give you more flexibility and ensure that both group and role removals happen smoothly without the errors you've encountered.

Thumbs up if it works for you.

AoifeS · ‎10-16-2024

@sadif_raja Thank you, I have split this script up in two parts (removing groups and removing role in the delete record steps) as seen in the screenshots attached.

However I am now getting a new error also in screenshots attached. Do you have any suggestions on why this is happening?

sadif_raja · ‎10-16-2024

1. Your table has something then you can use that table in variable.
2. write sys_id of group or user inside quotations and it must have a 32 characters unique id.

Diogo Ramos · ‎10-11-2024

Normally, when you remove a group from a user it should automatically remove all related roles that group gives at least on recent SN versions. Unless, the user had manually added roles which would be a bad practice. With that aside, you flow looks ok in theory, the only remark I would say is that you seem to have quite a big amount of activities maybe would be interesting to move this into a subflow.

Have you tried looking at the logs when the error occurs to see if there is any info there? Are you trying to remove a role that maybe requires elevate privileges?