User is not part any group but still has the roles

Community Alums · ‎01-10-2024

Hello There,

Greetings!!!

I have come across scenario where user is not part of any of the groups but still have the roles and they show inherited as true:

I checked sys_user_has_role > role inheritance map it does not show any mapping

How to delete all such entries from sys_user_has_role table for all the users like above user?

What causes this?

Thanks,

Tejas

TheKatherine · ‎06-04-2025

What would the report conditons be to show all the users like this (inherited role set even though they don't belong to any groups and don't have any roles manually set)

thanks

TheKatherine

CCooperTech · ‎12-10-2024

We have just found a similar/same issue, a user has 61 roles, none of which were directly assigned to her, all of which have an inheritance count / inherited True.

Trying to edit the user roles shows no removable roles.

The group membership is empty.

No Roles are auto assigned as default to any of our users.

When looking at the role inheritance map there is no route to other roles or groups (picture attached)

Luke43 · ‎01-16-2025

I just recently encountered this after noticing we had several users with roles that they shouldn't have. I'm assuming a background script or update removed an entry from the sys_user_role_contains table. Either way, I wanted a way to find how to identify if this existed for any other role that was inherited, but no longer was actually 'inherited'.

So this below script will loop throgh all inherited roles, check any conditions where the role is contained by another role, check if the user also has the role (inheritance), if role is not granted this way, proceed to check where this inheritance is applied through a group, and then check to see if the user in question is a member of that group.

Finally at the bottom - right now it just prints the results and you can get the output through script execution history so you can investigate, or if you want it to just remove it, uncomment the delete parts in line 39 and 40.

//Query all user permissions that are inherited
var gr = new GlideRecord('sys_user_has_role');
gr.addQuery('inherited', true);
gr.setLimit(100); //Use to test, remove once you have verified it works. 
gr.query();

while (gr.next()) {
    // Check if the role is inherited another role
    var gr2 = new GlideRecord('sys_user_role_contains');
    gr2.addQuery('contains', gr.role);
    gr2.query();
	var isInherited = false;
	while (gr2.next()){
		// Check if user also has role to validate proper inheritance for the applied role.
		var gr3 = new GlideRecord('sys_user_has_role');
		gr3.addQuery('user', gr.user);
		gr3.addQuery('role', gr2.role);
		gr3.query();
		if (gr3.next()){
			isInherited = true;
		}
	}
	if (isInherited === false) {
		var gr4 = new GlideRecord('sys_group_has_role');
		gr4.addQuery('role', gr.role);
		gr4.query();
		while (gr4.next()){
			var gr5 = new GlideRecord('sys_user_grmember');
			gr5.addQuery('user',gr.user);
			gr5.addQuery('group',gr4.group);
			gr5.query();
			if (gr5.next()){
				isInherited = true;
			}
		}
	}
	if (isInherited === false) {
		gs.print('User: ' +gr.user.name + ' has orphaned inheritance to ' +gr.role.name);
		//gr.inherited=false; 
		//gr.deleteRecord();
	} else {
		gs.print('User: ' +gr.user.name + ' has proper inheritance to ' +gr.role.name);
	}
}

Jason Siegrist · ‎05-07-2025

the ACLs do not let you delete the orphaned Roles ... how did you fix this?

Bert_c1 · ‎05-07-2025

Re-activating the 'Contextual Security: Role Management V2' plugin. a script there runs that should clean up those roles. A Support Case may be needed, as a TSE with the 'maint' role that run that script in a 'dry-run' mode for you to review, and then upon approval, the can run that via a change request in an affected instance.