Removing Group Memberships for Inactive Users

adamrauh
Kilo Expert

‎10-16-2014 05:21 AM

Right now we don't have direct LDAP integration w/ Servicenow (we're playing w/ some various 3rd party apps to control other aspects in our environment, so are not sure yet from what level we want to control what) - however,

 

I'm wondering if there is any easy script and/or app to quickly deactivate users in Servicenow AND remove their group memberships.   (Maybe via import file of disabled users?)

 

Recently I saw where a user I had (manually) deactivated is still showing up in various group memberships.   While I know he can't actually "do" anything, it still needs to be cleaned up so I was wondering what options are out there.

 

Thx,

A

Labels:
0 Helpfuls
  • 6,694 Views
9 REPLIES 9

harikrish_v
Mega Guru

‎10-16-2014 06:05 AM

Hi Adam,



There are many ways to do this, like instance, for reference fields, you can simply provide a qualifier as


locked_out=false^active=true, so that it doesnt show the inactive users. You can also use a query to delete all the sys_user_grmember records for inactive users. The code will look something like this:-




var gr=new GlideRecord("sys_user");



gr.addInactiveQuery();



gr.addQuery('locked_out',true);



gr.query();



while(gr.next()){



   var grmember = new GlideRecord('sys_user_grmember');



   grmember.addQuery('user', gr.sys_id);



   grmember.query();



   while(grmember.next()){



           grmember.deleteRecord();



   }



}

I haven't tested this yet, so you might want to do that before actually implementing it. Hope this helps.



Regards,


Hari


dhoffman
Tera Contributor
In response to harikrish_v

‎11-24-2014 09:57 AM

Hi Hari:



Thanks for the code sample.   I tested it as-is in an LDAP onAfter Transform script, and for some reason the script is running forever.   It may have to do with the nested while loops and database queries...



I'm trying to accomplish the same thing as Adam Rauh (remove inactive/disabled users from all ServiceNow groups, some of which grant the itil role).



Edit:   I think I need to make this an onComplete script with the current while logic.   onAfter runs after each user is transformed, so the while loop would query all users instead of just that particular user.   Will post updates...


Kalaiarasan Pus
Giga Sage
In response to dhoffman

‎11-24-2014 11:30 AM

I would rather add the above code as a business rule. This will take care of both ldap and normal user deactivation


dhoffman
Tera Contributor
In response to Kalaiarasan Pus

‎11-26-2014 07:19 AM

Great idea.



Wrote an onBefore business rule on the User table that removes from groups flawlessly, and it works on LDAP transforms as well.   I also made another field on the sys_user table called "Group History" (u_grouphistory) that is a String (4000 characters) text box that logs all the groups a user was in just in case people are accidentally disabled.



function onBefore(current, previous) {






/****************************************************************************



Remove Inactivated Users from Groups






This Business Rule removes ServiceNow group memberships when a user record



is made inactive and locked out.   This automates the cleanup of existing



ServiceNow groups as well as removes roles (such as 'itil') that are granted



by some groups, freeing up fulfiller licenses to active users.






Type of Script:   Business Rule (onBefore)



Location:   User Table [sys_user]






David Hoffman



Created 11/24/14.   Last modified 11/26/14.



*****************************************************************************/






// http://wiki.servicenow.com/index.php?title=Business_Rules_Best_Practices



// Following Business Rules Best Practices and limiting scope of variables by



// encapsulating this Business Rule script in a function.






// Filter Conditions:



// Active changes to false AND



// Locked out changes to true






RemoveFromGroups();






function RemoveFromGroups() {



       var grMember = new GlideRecord('sys_user_grmember');



       grMember.addQuery('user', current.sys_id);



       grMember.query();






       // For each ServiceNow group, delete the membership.



       while (grMember.next()) {



               grMember.deleteRecord();



               gs.addInfoMessage(gs.getMessage('Removing inactivated user ') + GlideStringUtil.escapeHTML(current.name) + ' from group ' + GlideStringUtil.escapeHTML(grMember.group.getDisplayValue() + '.'));



               // Log group memberships in case the user's group memberships need to be restored.



               current.u_grouphistory = current.u_grouphistory + '\n' + gs.nowDateTime() + '\tRemoved from group ' + grMember.group.getDisplayValue() + '.';



       }



}



}