User is not part any group but still has the roles

Community Alums
Not applicable

Hello There,

 

Greetings!!!

 

I have come across scenario where user is not part of any of the groups but still have the roles and they show inherited as true:

Tejas12_0-1704896160476.png

 

I checked sys_user_has_role > role inheritance map it does not show any mapping

Tejas12_1-1704896351031.png

 

How to delete all such entries from sys_user_has_role table for all the users like above user?

 

What causes this? 

 

Thanks,

Tejas

10 REPLIES 10

Sandeep Rajput
Tera Patron
Tera Patron

@Community Alums This is happening due to role inheritance, some of the roles might have been directly assigned to the user which contain other roles and hence the inheritance is true without user being a part of the group.

gajananvwit
Tera Contributor

Hi,

 

Please check in user table in roles field if he is having roles or not then remove it from there.

Iraj Shaikh
Mega Sage
Mega Sage

Hi @Community Alums 

In ServiceNow, roles can be inherited in several ways, and if you're seeing roles marked as inherited (`inherited = true`) in the `sys_user_has_role` table for users who are not part of any groups, there are a few potential causes:

1. Role Inheritance from Other Roles: ServiceNow allows roles to inherit from other roles. If a user has a role that is a parent role to other roles, those child roles will appear as inherited even if the user is not part of any group.

2. Group Inheritance: Even though you mentioned the user is not part of any groups, it's worth double-checking that there are no groups indirectly associated with the user. Sometimes, group membership can be overlooked, especially if it's through a less obvious association.

3. Default Roles: Some roles are assigned to new users by default. These roles are typically set up to be automatically granted to all new users and might appear as inherited.

4. Data Inconsistency: There might be a data inconsistency or corruption in the instance that is causing roles to appear as inherited incorrectly.

To delete such entries from the `sys_user_has_role` table, you can create a script to run through all the user records and remove the roles that are marked as inherited but do not have a clear inheritance path. Here's a general idea of how you might script this in ServiceNow:

 

// This script is for demonstration purposes only. Please test thoroughly in a sub-production instance before running in production.

var userHasRoleGR = new GlideRecord('sys_user_has_role');
userHasRoleGR.addQuery('inherited', true);
userHasRoleGR.query();

while (userHasRoleGR.next()) {
    // Check if the role is actually inherited from a group or another role
    var roleInheritanceMapGR = new GlideRecord('sys_user_role_contains');
    roleInheritanceMapGR.addQuery('sys_user_role', userHasRoleGR.role);
    roleInheritanceMapGR.query();

    var isInherited = false;
    while (roleInheritanceMapGR.next()) {
        isInherited = true;
        break;
    }

    // If the role is not inherited from another role, delete the record
    if (!isInherited) {
        userHasRoleGR.deleteRecord();
    }
}

// Note: This script does not account for all possible scenarios and should be adapted to fit your specific requirements.

 

 

To run this script:

  1. Navigate to System Definition > Scripts - Background
  2. Copy and paste the script into the "Run script" text box.
  3. Click the "Run script" button to execute the script.

Important: Before running any script that deletes data, it is crucial to:

- Understand the script and modify it according to your specific needs.
- Test the script in a non-production environment to ensure it behaves as expected.
- Back up your data or ensure you have a rollback plan in case the script does not work as intended.
- Consider the implications of removing roles from users, as this could impact their access to various parts of the ServiceNow platform.

 

Please mark this response as correct or helpful if it assisted you with your question.

Dr Atul G- LNG
Tera Patron
Tera Patron

Hi @Community Alums 

 

I agree with @Sandeep Rajput  here. As role count is less , easy to check atleast for 1 user and then you can create a report to get all users like this. 

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************