What happens to scripts when "Run As" user is Inactive or Locked Out? Seeking Best Practices

saint
Tera Expert

Hi Experts,

 

I've observed a recurring issue where scripts or flows configured to run under a specific user account begin to fail once that user becomes inactive or is locked out of ServiceNow. These failures typically occur silently unless error handling has been explicitly built to catch such conditions.

I'm trying to understand what happens in the backend when this occurs. Specifically:

  • What mechanisms cause the script to fail when the user is inactive?
  • Are there any logs or indicators that can help identify these failures?
  • What are the best practices to prevent or mitigate the impact of such scenarios?

Additionally, I’d appreciate any guidance on how to assess the potential impact of these failures and ensure it's kept to a minimum.

@Mark Manders @Ankur Bawiskar 

Thanks in advance for your insights!

2 ACCEPTED SOLUTIONS

Nikhil Bajaj9
Giga Sage

As per my understanding - When a "Run As" user for a scheduled job or script is inactive or locked out in ServiceNow, the script will fail to execute. This is because the system cannot authenticate the user to run the script. The specific behavior may vary based on the script type and platform. Best Practices:- 

  1. Always ensure the "Run As" user is active and has the necessary permissions to execute the script. 
  2. Create a specific user account for running scripts and scheduled jobs. This account should have the minimum necessary roles and permissions and should be regularly monitored for activity and security. 
  3. Scripts should include error handling to gracefully manage situations where the "Run As" user is inactive or locked out. This might involve logging the error, sending a notification, or attempting an alternative action.
  4. Leave Run as  - blank so that it will be run as - System user.

 

 As you correctly said- it is silent till the time, we realize that job is not running and we ar enot getting the expected output.

 

If my answer helped you, please mark -solution accepted.

 

Regards,

Nikhil Bajaj

Please appreciate my efforts, help and support extended to you by clicking on – “Accept as Solution”; button under my answer. It will motivate me to help others as well.
Regards,
Nikhil Bajaj

View solution in original post

Ankur Bawiskar
Tera Patron
Tera Patron

@saint 

Flows can either run as "System User" or "User who initiated the session"

If it's "System User" then we need not worry.

Few practices we can follow

-> wherever possible use System User in flow

-> periodically review the flows

-> maintain a document of each flow and it's config so that it becomes easier to track, maintain, debug in future

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

5 REPLIES 5

Bhuvan
Tera Sage

@saint 

 

It is recommended to run flows using 'system user' rather than 'User who initiated the session'. You can find more information on this in below post,

 

https://www.servicenow.com/community/servicenow-ai-platform-forum/run-as-property-in-flow-designer/m...

 

Best option is to use error handling and whenever there is a failure of flow execution, you can send a Email or SMS or Teams notification based on the integrations you have setup in your environment and any associated license costs.

 

https://www.servicenow.com/docs/bundle/yokohama-build-workflows/page/administer/flow-designer/concep...

 

There could be an exception scenario where flow might fail when run as 'system user' but it runs fine with 'User who initiated the session'. You can use below KA to resolve any issues,

 

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0856507

 

Thanks,

Bhuvan