user_name reuse

cokemachine · ‎07-12-2016

I'm a new ServiceNow admin and have inherited some LDAP integrations whereby population of our sys_user table is basically automated. New on-boarded users into our company automatically have ServiceNow sys_user records created (on a daily basis). Likewise, disabled users in Active Directory automatically cause the correlating ServiceNow user record to be set to "active = false".

I know deletion of records is generally discouraged in ServiceNow, but have found myself deleing a few user records on occasion as I see insert errors on the LDAP transform history screen for newly hired persons.

Here's the scenario:

1. User is in the sys_user table with user_name of 1a63xz3 (for example).

2. User is disabled in A.D., thereby causing the ServiceNow user profile to go "inactive".

3. After 6 months or so, cleanup in A.D. causes that user's A.D. account to be deleted.

4. The same user_name of 1a63xz3 is provisioned to a new on-boarded user in the company.

5. Our LDAP import is unable to insert this new user because of the user_name duplication/conflict.

6. I am forced to determine if I should delete the old user to allow the new user to be created.

I'd rather not continue deleting users (Step 6 above) to allow for the creation of the new user. So far it hasn't been an issue because the old users haven't had any tickets or other important data affiliated with them (we've only been live on ServiceNow for one year), so I could delete them without much recourse.

But I know the day is coming where this scenario will appear and the "old user" has tickets or other important data linkages.

I'm looking for recommendations to allow me to keep the "old users" in the system, but avoid the insert conflict for the "new user".

I've tried renaming the user_name of the old user, such as "1a63xz3-old" but then I started receiving transform errors on that renamed account.

Maybe that's the route for me to go? but there's an additional step I'd need to take to allow my "disabled users" import to not try to re-update those accounts that end with "-old"?

Hoping others have solutions, not involving A.D. cleanup practices or A.D.-induced user_name naming conventions/practices (both outside of my control), to this scenario that would be of assistance...

Thanks!

cokemachine · ‎07-19-2016

We were able to figure it out internally. Because the out-of-the-box behavior of ServiceNow is to have the "unique" checkbox selected on the user_name field, this was causing our system to not insert the new person who had the same ID as an old inactive person. Because our coalesce is based on guid's coming from other sources, we inactivated the "unique" checkbox on the user_name field to solve our issue.

View solution in original post

Chuck Tomasi · ‎07-12-2016

Hi Ross,

Can you coalesce on something other than user_name when doing the import/transform process? Can you use the email address, employee ID, a combination of both? That way if AD reuses the user_name, you don't run in to conflicts. It would be as insignificant as if they both had the same title.

Creating New Transform Maps - ServiceNow Wiki

Using the Coalesce Field - ServiceNow Wiki

heathers_ · ‎01-16-2018

Hi Chuck,

Would coalesce on the user_name cause a scenario where records being transformed with an empty user_name field, prevent that specific record from inserting? For instance, we have a daily SAP integration to update the sys_user table. If there was a user record missing the userid, would the transform skip the insert? I should add that there does not appear to be an onBefore transform script causing this behaivor.

Thanks!

Heather

cokemachine · ‎07-14-2016

I'm afraid I oversimplified how we're pulling data into ServiceNow. Our previous admin was very knowledgeable and able to do quite complex things, but provided no turnover when he left. We're actually pulling it from something called our LDS which is a Business Intelligence-like database that gets its data from A.D., but in the end, the result symptoms are the same as I described where if the user_name of the insert is already in our database (with an inactive user) it won't allow the insert.

For the particular operating company in question, we have 2 LDS data sources (one pulling "disabled users" from LDS and one pulling active users from LDS. There is one daily scheduled load per each source.

The transform map has 39 fields mapped with only one coalesce (as noted below). There are 309 lines of uncommented code in our Transform Map script (to help "sanitize" the data before import into ServiceNow) in addition to 5 active scripts on the Transform Scripts tab.

Our coalesce has been setup to look at the following script:

// Source Script on LDAP User Transform Map to pull either objectGUID (from AD) or sourceObjectGuid (from LDS)
// and set answer based on LDAPS data source.

if (source.u_sourceobjectguid.nil()) { // Means source is a domain controller
answer = source.u_objectguid; // Use the Object GUID
} else {
answer = source.u_sourceobjectguid; // Otherwise use the sourceObjectGuid field from LDS instance
}

With so many places to look, it makes my head start to spin.

Chuck Tomasi · ‎07-14-2016

Thanks for the clarification(?) details Ross.

I think you're going to need to work with professional services from ServiceNow or one of our partners to sort this out. It's a bit beyond the scope of what we can handle in the community.

Good luck!