Assign roles to groups based on group type

Go to solution
Marissa
Giga Contributor

‎11-21-2019 02:36 AM

Dear all,

I have 78 CAB groups, with varying 2 to 20 users per group. I need to assign the Approver role to these people. I have more groups than these, but the only thing that sets them apart is that they all have the type "CAB group". I was hoping I could get ServiceNow to assign the role based on group type, so I do not have to add it to each group individually, and it gets assigned automatically when Service Desk creates a new CAB group.

My requirements are:

- Assign role "approver_user"

- based on group type "Change CAB"

- When group Active = true

How can I best achieve this?

Thank you in advance.

Labels:
0 Helpfuls
  • 3,400 Views
1 ACCEPTED SOLUTION

Go to solution
Martin iTSM
Tera Guru

‎11-21-2019 03:54 AM

Hi Marissa,

so you want that as soon as the group is updated or created having the type "Change CAB" to get the role "approver_user" , right? (Btw. what about removal of that type 🙂 ... does the approver_user role need to be removed then?)

If so go for Flow Designer.

find_real_file.png


Any members of the group should inherit the role due to their membership in that group.

find_real_file.pngfind_real_file.pngfind_real_file.pngfind_real_file.pngNot fully tested - and might need some refinement (used itil group type etc.) - but it should give you a direction.

Hope this helps.

The flows take a moment to execute - so if your role doesn`t appear right after creating the group - reload after a few seconds 😉

Cheers!

Martin

View solution in original post

Preview file
102 KB
Preview file
70 KB
Preview file
51 KB
Preview file
71 KB
Preview file
55 KB
6 REPLIES 6

Go to solution
MartinFRU
Mega Expert

‎01-13-2020 03:51 AM

Hi Marissa,

better late than never 😛 ... - sorry for the missing screenshot.

Indeed there should be a condition specified in your last screenshot which looks like this:

find_real_file.png

Since we want to check if there`s a record for the current group and the approver_user role (if so we do not need to create it - if not we create it).

----

For the removal of the "CAB Group" type i currently don`t have the time to create a full example (sorry for that) - but i would consider using another flow.

It is similar to the previous flow.

Trigger: Group updated (e.g. condition: does not contain "CAB Group")
Lookup Records: check sys_group_has_role for current group and "approval_user" role.
If you find one > delete that record (which removes the relation between the group and that role)

But that`s only a rough example.

Also there can be situations where you have multiple records for group and role.
E.g. if the parent group also has that role you will have two role records in the child group. 
One of them should be "granted by" the parent group - you need to think what you want to do in such scenarios. Guess it would be best to only remove the record for the current group ("granted by" should be empty) - although people will still have the "approval_user" role inherited from the parent group.

Hope this helps and is clear enough to understand 🙂

Cheers!

Martin

Preview file
144 KB

Go to solution
Marissa
Giga Contributor
In response to MartinFRU

‎01-13-2020 04:43 AM

Hi Martin,

My bad, you actually had put in the screenshot and I had just overlooked it - I was able to apply the condition and the flow works! Thank you so much for providing the instructions

Regarding the removal of the role; I figured it doesn't matter much, as when a customer leaves we make the group inactive which should remove the role with this condition. And else all users will be taken out anyway. I shall test around a bit with it.

Thank you so much for the time taken, this will save us a lot of work.

Kind regards,

Marissa

0 Helpfuls