my bad with point 1, i read it sys_user_has_role... as i pressumed, itil roles are given to groups ,so by default every group should have one.

on point 2 and 3,

my above comment, should be the restore point for its execution and point 2 can be taken care with this.

point 3 , "if" is intentionally used, because you would not multiple recursions.. let the first conditon be matched and later only hit it to  complete actions...The sys_user_has_role should have first identified and, the later part should have dealt with removing.

Thanks for the help Jayanth,

Another query , this is something I missed.

There can be a situation where 'itil' role is inherited into another role. For example in Personal dev instance, the group named ' Network CAB Managers' has a role called 'sn_change_cab.cab_manager' which further inherits 'itil' role. Can we find which role inherits the 'itil' role and remove the user from that group as well?

Thanks!

in that case another gliderecord  is needed .(edited)

 so this basically deletes the user from group, only if the user has itil and not logged in within 60 days and also, the role is inhereited from another role. play with this accordingly.

friendly advice ,try building your queries from the list first..it would reduce the actual time in scripts.

var grp_role = new GlideRecord('sys_user_has_role');
grp_role.addEncodedQuery('role=282bf1fac6112285017366cb5f867469^user.last_login_time<"javascript:gs.daysAgoStart(60)"^user.active=true^'); //assuming this is the exact sys id of itil OR role contains itil
grp_role.query();
while(grp_role.next())
{





var gr_mem = new GlideRecord('sys_user_grmember');
gr_mem.addQuery('group',grp_role.group); 
gr_mem.query();
if(gr_mem.next()) //if this time
{

var rle= new GlideRecord('sys_user_role_contains_list');
rle.addQuery('contains','282bf1fac6112285017366cb5f867469'); //check with the real sys id of itil
rle.query();
while(rle.next()) //if this time
{


gr_mem.deleteRecord(); 
gs.print("deleted users: " + gr_mem.user.getDisplayValue()); 
}
}


}

Please try below script

delete_user_inherit();
delete_user_no_inherit();

function delete_user_inherit()
{

//Assuming all groups have itil

var gr_mem = new GlideRecord('sys_user_grmember');
gr_mem.addActiveQuery(); //consider active groups

gr_mem.addEncodedQuery("user.last_login_time<javascript:gs.daysAgoStart(60)^user.roles=itil");

gr_mem.query();
while(gr_mem.next())
{
gr_mem.deleteRecord();
gs.print("deleted users: " + gr_mem.user.getDisplayValue());

}



}

function delete_user_no_inherit()

{
var gr = new GlideRecord('sys_user_has_role');
gr.addEncodedQuery("user.last_login_time<javascript:gs.daysAgoStart(60)^role=282bf1fac6112285017366cb5f867469^user.active=true"); //change itil role sysid
gr.query();
while(gr.next())
{
gs.print('userName:' + gr.user.name);
gr.deleteRecord();

}
}