Role Auditing - Who Removed The Role?

arobertson
Tera Guru

Hi All,

 

Is there a way i can tell who removed a role/group from a user?

 

Regards,

1 ACCEPTED SOLUTION

Brad Tilton
ServiceNow Employee
ServiceNow Employee

Hi Alex,



When you remove a role from a user, you're actually deleting a record on the sys_user_has_role table. Because of this, you can look at the deleted records table for records where the table name is sys_user_has_role. So if I was looking for who removed some admin roles I could search for records on the sys_user_has_role where the payload contains admin and payload contains my user. Whoever created the deleted item record is the person who removed the role.528762705a.png


View solution in original post

3 REPLIES 3

Brad Tilton
ServiceNow Employee
ServiceNow Employee

Hi Alex,



When you remove a role from a user, you're actually deleting a record on the sys_user_has_role table. Because of this, you can look at the deleted records table for records where the table name is sys_user_has_role. So if I was looking for who removed some admin roles I could search for records on the sys_user_has_role where the payload contains admin and payload contains my user. Whoever created the deleted item record is the person who removed the role.528762705a.png


Subhajit1
Giga Guru

Hi Alex,


This should be visible from the Audit History of the Record. Since Roles are held in Relationship tables, you should see them as Audit number =-1 in the list view of the Audit history.



Thanks,


Subhajit


marcguy
ServiceNow Employee
ServiceNow Employee

there's also the Audit Roles (sys_audit_role) table which contains who added/removed a user from a role, when etc.