Skipping record for table sys_user_has_role and id XXXXX - permission denied

G24
Kilo Sage

Hello, smart people.

 

We would like for our sys_id values to be the same on Dev, Test, and Prod.  That way, when we make changes and deploy customer updates, everything works as expected, and there are no surprises.  We believe this is a best practice, rather than creating records independently on different instances, whereby they would be assigned different sys_id values.

 

To that end, I am trying to import records from instance A to instance B, from the following tables:

     sys_user

     sys_user_grmember

     sys_user_has_role

 

This seems to work as expected for sys_user and sys_user_grmember, but we are having difficulty with sys_user_has_role.

 

For example, I am unable to import the following record:

1_XML_File.png

When I import the XML file from any list view using the Import - XML command, I receive the following error:

2_ImportXML.png

 

When I force the record into an update set, and I attempt to commit the Update Set, I receive the following error:

"Version loading was stopped by DefaultUpdateLoader for sys_user_has_role_87XXXXXXXXXXXXXXXfdc".  Here is a screenshot of that:

3_CommitUpdateSet.png

 

I verified that all of the sys_id values REFERENCED BY the record I am trying to import do in fact exist, so that is not the issue.

 

When I review the Create access control for table sys_user_has_role, I do see some interesting things...  I see that the "Admin overrides" checkbox is UN-checked.  And I see that there is some Script involved.  However, even when I check the "Admin overrides" box, and even when I change the script to simply "answer = true", I still get the aforementioned errors when I try to import records on that table.  Here is what that Access Control looks like, for reference:

4_AccessControl.png

 

Question 1) Is there some documented reason why we should NOT be trying to move records from table sys_user_has_role from one instance to another?  Or is it fine to do so?

 

(In the past, when I failed to move records from this table, users were unable to do what they needed to do, even though they were in the correct groups.)

 

Question 2) What am I doing wrong?  Or where should I go from here?

Thank you.

 

1 ACCEPTED SOLUTION

Bert_c1
Kilo Patron

Hi @G24 ,

 

Please check for the following two plugins being activated in your instance:

Contextual Security: Role Mangement and Contextual Security: Role Management V2.  Also the system property named "glide.role_management.use.inh_count" is present and set to true.  If so, please don't try to import records from 'sys_user_has_role'. As those plugins control the content of that table.  Seems this is the case for you.

 

Include 'sys_user_role_contains, sys_group_has_role, and then users will get roles based on Inheritance.  Your instance may need repair now due to you importing records from just two of the related tables. And Servicenow Support will need to be engages to review and repair.

View solution in original post

3 REPLIES 3

Bert_c1
Kilo Patron

Hi @G24 ,

 

Please check for the following two plugins being activated in your instance:

Contextual Security: Role Mangement and Contextual Security: Role Management V2.  Also the system property named "glide.role_management.use.inh_count" is present and set to true.  If so, please don't try to import records from 'sys_user_has_role'. As those plugins control the content of that table.  Seems this is the case for you.

 

Include 'sys_user_role_contains, sys_group_has_role, and then users will get roles based on Inheritance.  Your instance may need repair now due to you importing records from just two of the related tables. And Servicenow Support will need to be engages to review and repair.

@Bert_c1 

5_Plugins.png

 

6_SysProperty.png

 

So Bert, I see the documentation on RMV2 here: 

https://docs.servicenow.com/en-US/bundle/utah-platform-security/page/administer/roles/task/Role-Mgmt... 

and here

https://docs.servicenow.com/bundle/utah-platform-security/page/administer/roles/concept/Role-Mgmt-V2... 

 

But I don't see it saying anything about NOT updating the sys_user_has_role table directly.  Can you please explain where the knowledge you are imparting here is coming from?

 

Also, are you saying that it's now IMPOSSIBLE for our sys_id values to match between the instances, at least for this table?  That seems very odd, since we just spent the last 3 years insisting to our developers that everything match to prevent deployment issues.   Thanks..

Bert_c1
Kilo Patron

Hi Geoffhrey3,

 

The first link shows a script to verify Role Inheritance: '

new RoleManagementVerify().verifyInheritedRoles();

 Seems an admin user can run that.

 

The management of sys_user_has_role is managed by the platform with those plugins.

 

As far having the same sys_id values of records in each instance, once you clone prod down to test and dev, the sys_id values will match in each instance. When you apply update sets, some table records can get different sys_id values. But once you  get changes applied to production, clone over test and dev. To start "anew".