Email Properties - help with incoming

Rob Sestito · ‎02-24-2020

Hello SN Comm,

Looking to get a little help with incoming emails to the system, when the user is set to Inactive.

When a employee becomes termed, their SN account is set to Locked out and Active = false, per our integration with Workday. If there is a user that is termed, and their current email is connected to their account in SN, they email into the system, their email is ignored.

I have to manually set their user account to active, while still locked out, and reprocess their email. When I do, the email is then moved from the Junk inbox to Reverenced inbox. Then it is processed.

We have heard that some of the "alumni' type of roles can help with this. However, that is not becoming true as this has been tested.

Does anyone know if there is a system property when it comes to a situation like this, that can be adjusted? If the incoming email matches a user account, but their account is Active = false, we still want their email to process correctly.

If there is no email matching to an account, then the Guest account takes it from there. So that is fine - but we need some help in figuring out what we can do about emails matching accounts to users that are inactive. We don't want to go around and keep everyone that has been termed, active.

Any help is appreciated!

Cheers,

-Rob

Michael Jones - · ‎02-24-2020

There isn't a system property, attribute or role that would bypass this particular core functionality that I have ever found. Generally the proposed "solutions" are:

1) Use Locked Out instead of inactive - as you've discovered, with the correct property inbound actions for a locked user will process. It sounds like this one is not really an option for you.

2) Remove the e-mail address of inactive users - this could be done via a business rule when the inactive flag is set. I typically suggest moving the value to a custom field if you want to keep it.

3) Similar to #2, you modify the e-mail address when the inactive flag is set, such as by prepending DISABLED_ to the value. That way it is still present, and human readable.

Both #2 and #3 you are taking advantage of what you already mentioned - by ensuring there is no match on the e-mail address, the guest user is used to process the request.

Unfortunately these are the only work-arounds that I've seen.

If this was helpful or correct, please be kind and remember to click appropriately! Michael Jones - Proud member of the CloudPires team!

I hope this helps!
Michael D. Jones
Proud member of the GlideFast Consulting Team!

View solution in original post

Pete R1 · ‎02-24-2020

Hi, it seems like ServiceNow allows you to let locked out users run inbound email processes, but not inactive.

https://docs.servicenow.com/bundle/newyork-servicenow-platform/page/administer/notification/referenc...

I'd assume this is usually a non-issue due to the fact that terminated employees lose access to company email accounts, is this not true in your org? Do they get some sort of grace period?

Something you can try doing is changing your transform map to mark users "locked out" instead of inactive when they're termed in Workday. Then use the property mentioned in the document I linked above to allow their emails to be processed.

You can then followup with a job that will eventually mark them active=false based on how long they've been locked out.

Rob Sestito · ‎02-24-2020

Hey Pete,

Within our org, we have maybe a 3rd of our population as a "networked" employee. These are the employees that will get an email within our organization - all others will use personal. But we also tie personal emails to the hr profiles for users that have stored on onto their WD profile. And our inbound action matches against personal if no match against primary works.

So, if they have their personal email account linked to their workday account. Per integration, as you know, their email account in SN will be updated to that email.

Those are the ones we face with this issue with. We have also thought about keeping the termed employees active and locked out. But since we pay per active account for licensing, that does not work. Otherwise, we would have over 61k active users.

We were told a little while back, that the alumni role could be applied to inactive users, and they would be able to have their emails processed while under that role. But, we found that not to be true, and I am waiting for our SN account team to get back to us on why it is not working as we were told.

I see the suggested link you provided, however that also lets in emails from untrusted domains. Not sure I want to go down that road.

Thanks,

-Rob

Pete R1 · ‎02-24-2020

Oh, I see. I forgot about the personal email account match in the baseline inbound actions. You can try adding an active query in the gliderecord that runs against the HR Profile table. That way it's only trying to find an active match for the personal email address. If they're inactive, it won't find a match and it will continue as guest.

I wonder if @Kiel Sanders or @michaelj.sheridan can let us know why the "alumnni" role wouldn't be an exception to the "no inbound processing on inactive users" rule? Thanks guys!

Rob Sestito · ‎02-25-2020

Thanks Pete!

I actually reached out to Kiel offline as he is part of our account managing team from SN.

I am awaiting his response about the roles.

Thanks again!

-Rob