Automate the adding of users to groups via a request workflow issue

Clinton F
Tera Expert

Hi,

We currently have a automated request to add users to groups. The process is you select the group and the user via the form. When submitted a approval will be sent to the group manager. Once approved the user will be added to the group. This has been working for sometime now but it has failed. 

I think it is because the workflow has to impersonate a account with additional access like a admin. But it has worked in the past. 

This is the code we are using. 

var group = current.variables.add_group;
var user = current.variables.add_member.toString();
var array = user.split(",");

var adminUser = gs.getProperty('qbe.admin_account');            
var originalUser = gs.getSession().impersonate(adminUser);   // elevate priviledges to add roles

//gs.addInfoMessage("Selected users are:" + ' ' + user);

for (var i = 0; i < array.length; i++) {
	var gr_member = new GlideRecord('sys_user_grmember');
	gr_member.initialize();
	gr_member.group = group;
	gr_member.user = array[i].toString();
	gr_member.insert();
}

gs.getSession().impersonate(originalUser);   // return to original session

 If anyone know why this would be please let me know or if there is a better way to do this.

Many thanks
Clinton

1 ACCEPTED SOLUTION

Clinton F
Tera Expert

The fix for this was to add a Timer action to the workflow before my script runs. The activity is then added to the event log which runs as the System, which has all the access needed. 

View solution in original post

5 REPLIES 5

Nikita Kale
Giga Guru

Hi 

I was wondering why the entire impersonation thing configured in the first place?

Also the property, if it returns any admin user's sysid, please check if any modifications were made to that user's record.

I guess you can comment the impersonating code parts & test if it works. Because other than that the code looks good to me.

 

Please mark the response as helpful/correct, if it answers your question.

Thanks
Nikita

Hi, 

The reason for the impersonate was to have a user with the correct permission to provide access. A account will need user_admin to create roles for the user when the person is added to the group. 

Users who use our request will only have itil and in some cases they don't even have access. So the impersonate is to login as a user with access then the correct roles can be applied.

This was working fine but I think maybe ServiceNow have locked this down. 

I'll keep digging.

Jean-Emmanuel 1
Tera Contributor

Hi,

There is a widget widely used in the community which allow group manager to manage the member of his groups on the portal.

You can download it here: https://developer.servicenow.com/connect.do#!/share/contents/5924274_service_portal_widget_my_manage...


Hope it will be useful for you

Please Mark Correct/helpful if applicable, Thanks!! 

Hi - Yes that is a good option. I have managed to fix my issue but I like this idea. Thank you for posting.