ROLES- Inherited Roles but Those Roles are Not Part of the Group Supposedly Inherited From

jlaps · ‎04-04-2022

Good morning,

As part of an audit finding, I am removing extraneous roles from users and groups that do not need them and should not have them. However, I am running into a problem where roles are assigned to users, supposedly inherited by the group they are a member of, but those roles are not part of the group. I have investigated these roles to see what they are contained in, and none of those roles are in these groups either. And yet, I cannot remove the role from a user as the system says it is inherited from a group that does not have it listed.

Roles in question, in case it might matter, are FLOW_OPERATOR and CATALOG_MANAGER.

Hoping I am missing something easy... what to check and look for for inherited roles that I cannot remove?

Thanks.

Maik Skoddow · ‎04-04-2022

Hi @jlaps

to have an better visibility over the roles and where they are coming from, I developed a tool you could use: https://community.servicenow.com/community?id=community_article&sys_id=e05db575dbf0e410d5c4d9d968961...

Kind regards
Maik

Maik Skoddow · ‎04-16-2022

Hi @jlaps

In case you think I was able to answer your question, I would be happy if you mark the appropriate response as "correct" so that the question will appear as resolved for other users who may have a similar question in the future.

If not, please tell me what you are still missing!

Many thanks & kind regards
Maik

jlaps · ‎04-18-2022

I did not try your tool, but your link explained some things I needed to read, and I found the inception-nested way roles work. Keep drilling down, and eventually you find the source.