Issue with Role Inheritance Not Working in HR Scoped Clone Cleanup Script

Abc 26
Tera Expert

Hello Experts,

I'm facing an issue with a clone cleanup script written in the HR scope. The script is designed to assign roles to specific user groups post-clone. The roles are being successfully added to the parent group, but the inheritance to child groups is not happening as expected.

However, I’ve noticed that if the script is executed by a user with the sn_hr_core.admin role, the role assignment and inheritance work correctly.

 

Here are a few details:

The script runs in a scoped HR application.

It assigns roles using GlideRecord  to groups like "HR Admin DEV".

The role inheritance is inconsistent and appears to be tied to the execution context/permissions.

The same logic works fine when run manually by an HR admin.

 

 

Has anyone encountered a similar issue where scoped scripts (especially in HR scope) fail to trigger role inheritance unless executed by a user with elevated HR roles?

 

Any guidance on how to ensure inheritance works properly within a scoped clone script would be greatly appreciated!

@Ankur Bawiskar @Ravi Gaurav @AndersBGS 
Thanks in advance.


4 REPLIES 4

Ankur Bawiskar
Tera Patron
Tera Patron

@Abc 26 

it seems only user with HR Admin is allowed to add that role

I don't think you can have post clone cleanup script which would run with HR admin role

As an alternative try to have a HR admin profile and have scheduled job in correct scope and use that user as Run as in scheduled job.

Try this I haven't tested this though.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

@Ankur Bawiskar  : I am thinking to try the below approach

1. Post Clone Cleanup Script (HR scoped) → just triggers a Scheduled Job.
2. Scheduled Job (also in HR scope) → does the actual role assignment logic.

@Abc 26 

yes but please ensure scheduled job runs as HR admin role person

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

Hi @Ankur Bawiskar ,

I have followed the above approach and roles are not getting mapped to the parent group.

Below is my scheduled script

(function executePostCloneActions() {
    var instance = gs.getProperty('instance_name');

    var groupsRolesMapping = {
        ingkadev: {
            "Group_Admins_DEV": ["sn_hr_core.admin"]
            
        },
        ingkatest: {
            "Group_Admins_TEST": ["sn_hr_core.admin"]
            
        },
        ingkauat: {
            "Group_Admins_UAT": ["sn_hr_core.admin"]
            
        }
    };

    if (groupsRolesMapping[instance]) {
        for (var groupName in groupsRolesMapping[instance]) {
            var roles = groupsRolesMapping[instance][groupName];
            assignRolesToGroup(groupName, roles);
        }
    }
})();

function assignRolesToGroup(groupName, roles) {
    var group = new GlideRecord('sys_user_group');
    group.addQuery('name', groupName);
    group.query();

    if (group.next()) {
        roles.forEach(function(roleName) {
            var roleRecord = new GlideRecord('sys_user_role');
            roleRecord.addQuery('name', roleName);
            roleRecord.query();

            if (roleRecord.next()) {
                var groupRole = new GlideRecord('sys_group_has_role');
                groupRole.addQuery('group', group.sys_id);
                groupRole.addQuery('role', roleRecord.sys_id);
                groupRole.query();

                if (!groupRole.next()) {
                    var newGroupRole = new GlideRecord('sys_group_has_role');
                    newGroupRole.initialize();
                    newGroupRole.group = group.sys_id;
                    newGroupRole.role = roleRecord.sys_id;
                    newGroupRole.insert();
                }
            }
        });
    }

    gs.info("Post Clone Activities completed.");
}

I am getting the below mentioned error when i trying to execute in background script too.

RoleAccessHandler: User abc does not have the role 'sn_esign.config_manager' which is required to grant/remove 'sn_esign.config_manager' under application administration, Resource: 'record/sys_group_has_role/create'
*** Script: Post Clone Activities completed.

Please let me know how to handle the above scenario so that roles are automatically mapped.