User is not part any group but still has the roles

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2024 06:22 AM
Hello There,
Greetings!!!
I have come across scenario where user is not part of any of the groups but still have the roles and they show inherited as true:
I checked sys_user_has_role > role inheritance map it does not show any mapping
How to delete all such entries from sys_user_has_role table for all the users like above user?
What causes this?
Thanks,
Tejas

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2024 06:28 AM
@Community Alums This is happening due to role inheritance, some of the roles might have been directly assigned to the user which contain other roles and hence the inheritance is true without user being a part of the group.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2024 06:33 AM
Hi,
Please check in user table in roles field if he is having roles or not then remove it from there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2024 06:34 AM - edited 01-10-2024 06:36 AM
Hi @Community Alums
In ServiceNow, roles can be inherited in several ways, and if you're seeing roles marked as inherited (`inherited = true`) in the `sys_user_has_role` table for users who are not part of any groups, there are a few potential causes:
1. Role Inheritance from Other Roles: ServiceNow allows roles to inherit from other roles. If a user has a role that is a parent role to other roles, those child roles will appear as inherited even if the user is not part of any group.
2. Group Inheritance: Even though you mentioned the user is not part of any groups, it's worth double-checking that there are no groups indirectly associated with the user. Sometimes, group membership can be overlooked, especially if it's through a less obvious association.
3. Default Roles: Some roles are assigned to new users by default. These roles are typically set up to be automatically granted to all new users and might appear as inherited.
4. Data Inconsistency: There might be a data inconsistency or corruption in the instance that is causing roles to appear as inherited incorrectly.
To delete such entries from the `sys_user_has_role` table, you can create a script to run through all the user records and remove the roles that are marked as inherited but do not have a clear inheritance path. Here's a general idea of how you might script this in ServiceNow:
// This script is for demonstration purposes only. Please test thoroughly in a sub-production instance before running in production.
var userHasRoleGR = new GlideRecord('sys_user_has_role');
userHasRoleGR.addQuery('inherited', true);
userHasRoleGR.query();
while (userHasRoleGR.next()) {
// Check if the role is actually inherited from a group or another role
var roleInheritanceMapGR = new GlideRecord('sys_user_role_contains');
roleInheritanceMapGR.addQuery('sys_user_role', userHasRoleGR.role);
roleInheritanceMapGR.query();
var isInherited = false;
while (roleInheritanceMapGR.next()) {
isInherited = true;
break;
}
// If the role is not inherited from another role, delete the record
if (!isInherited) {
userHasRoleGR.deleteRecord();
}
}
// Note: This script does not account for all possible scenarios and should be adapted to fit your specific requirements.
To run this script:
- Navigate to System Definition > Scripts - Background
- Copy and paste the script into the "Run script" text box.
- Click the "Run script" button to execute the script.
Important: Before running any script that deletes data, it is crucial to:
- Understand the script and modify it according to your specific needs.
- Test the script in a non-production environment to ensure it behaves as expected.
- Back up your data or ensure you have a rollback plan in case the script does not work as intended.
- Consider the implications of removing roles from users, as this could impact their access to various parts of the ServiceNow platform.
Please mark this response as correct or helpful if it assisted you with your question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2024 07:04 AM
Hi @Community Alums
I agree with @Sandeep Rajput here. As role count is less , easy to check atleast for 1 user and then you can create a report to get all users like this.
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]
****************************************************************************************************************