User-Group Role Compliance Checker

Akshay03
Kilo Sage

‎10-03-2024 12:03 PM

This script checks the roles assigned to a group and compares them to the roles assigned to each user in the group. It identifies any missing roles for each user and prints the results.

 

 

var groupList = ['b85d44954a3623120004689b2d5dd60a' , 'a715cd759f2002002920bde8132e7018' , 'b97e89b94a36231201676b73322a0311'];

groupList.forEach(function(groupSysId) {
    var group = new GlideRecord('sys_user_group');
    if (group.get(groupSysId)) {

        var groupRoles = [];
        var groupRoleGR = new GlideRecord('sys_group_has_role');
        groupRoleGR.addQuery('group', groupSysId);
        groupRoleGR.query();
        while (groupRoleGR.next()) {
            groupRoles.push(groupRoleGR.role.name.toLowerCase()); 
        }

        var userGR = new GlideRecord('sys_user_grmember');
        userGR.addQuery('group', groupSysId);
        userGR.query();
        
        while (userGR.next()) {
            var userSysId = userGR.user.sys_id;

            var userRoles = [];
            var userRoleGR = new GlideRecord('sys_user_has_role');
            userRoleGR.addQuery('user', userSysId);
            userRoleGR.query();
            while (userRoleGR.next()) {
                userRoles.push(userRoleGR.role.name.toLowerCase()); 
            }

            var missingRoles = [];
            for (var i = 0; i < groupRoles.length; i++) {
                var found = false;
                for (var j = 0; j < userRoles.length; j++) {
                    if (groupRoles[i] === userRoles[j]) {
                        found = true;
                        break;
                    }
                }
                if (!found) {
                    missingRoles.push(groupRoles[i]); 
                }
            }

            if (missingRoles.length > 0) {
                gs.print(userGR.user.user_name + '    User is missing the following group roles: ' + missingRoles.join(', '));
            } else {
                gs.print(userGR.user.user_name +'    User has all group roles.');
            }
        }
    } else {
        gs.print('Group not found: ' + groupSysId);
    }
});

// I've printed the results. If you have any additional requirements for inserting the missing roles, you can include that functionality based on our results

 

 

 

  • 422 Views
3 REPLIES 3

mihirlimje867
Tera Guru

‎10-03-2024 01:08 PM

Thank you @Akshay03 for sharing your knowledgeable script. This will be used in my future development.

Thank you.

0 Helpfuls

sadif_raja
Tera Guru

‎10-03-2024 01:10 PM

 

Your script works well for identifying missing roles for users in a group. If you're looking to go a step further and automatically assign the missing roles to those users, here's how you can modify your script:

```javascript
var groupList = ['b85d44954a3623120004689b2d5dd60a', 'a715cd759f2002002920bde8132e7018', 'b97e89b94a36231201676b73322a0311'];

groupList.forEach(function(groupSysId) {
var group = new GlideRecord('sys_user_group');
if (group.get(groupSysId)) {

var groupRoles = [];
var groupRoleGR = new GlideRecord('sys_group_has_role');
groupRoleGR.addQuery('group', groupSysId);
groupRoleGR.query();
while (groupRoleGR.next()) {
groupRoles.push(groupRoleGR.role.name.toLowerCase());
}

var userGR = new GlideRecord('sys_user_grmember');
userGR.addQuery('group', groupSysId);
userGR.query();

while (userGR.next()) {
var userSysId = userGR.user.sys_id;

var userRoles = [];
var userRoleGR = new GlideRecord('sys_user_has_role');
userRoleGR.addQuery('user', userSysId);
userRoleGR.query();
while (userRoleGR.next()) {
userRoles.push(userRoleGR.role.name.toLowerCase());
}

var missingRoles = [];
for (var i = 0; i < groupRoles.length; i++) {
if (userRoles.indexOf(groupRoles[i]) === -1) {
missingRoles.push(groupRoles[i]);
}
}

if (missingRoles.length > 0) {
gs.print(userGR.user.user_name + ' User is missing the following group roles: ' + missingRoles.join(', '));

// Assign missing roles
missingRoles.forEach(function(missingRole) {
var newUserRole = new GlideRecord('sys_user_has_role');
newUserRole.initialize();
newUserRole.user = userSysId;
newUserRole.role = groupRoleGR.role; // or search by missingRole if needed
newUserRole.insert();
gs.print('Assigned role ' + missingRole + ' to user ' + userGR.user.user_name);
});
} else {
gs.print(userGR.user.user_name + ' User has all group roles.');
}
}
} else {
gs.print('Group not found: ' + groupSysId);
}
});
```

This script not only checks for missing roles but also assigns them to the users automatically. It prints a confirmation message when a role is assigned.

Hope this helps!

 

0 Helpfuls

Mimi_Edet
Tera Contributor

‎10-04-2024 04:47 AM

is this a business rule script?

0 Helpfuls