Unable to remove roles from Users who have inherited them.

tom_hs2 · ‎01-23-2018

Hi All,

I am System admin using Istanbul SN. I have some users who have left the business and they consumed fulfiller roles. They were assigned them through association with the group they were placed in. Upon taking them out of that group, it hasn't removed their roles. I then try and remove them manually, but it will not let me. This only seems to happen when the roles are showing as Inherited = true.

I go into the edit section on roles (one user has 22 roles) and absolutely no roles appear to transfer from selected back to available.

some of the users have no real dependencies, so removing the roles from them would not cause any issues. I do not want to log a customer support call every time i want to do some housekeeping with users who have left the company.

thanks in advance for you help.

Tom

aldred · ‎04-26-2018

I was suffering from the same issue as yourself, a user that despite not being in any groups was still inheriting roles (30 in my case) and was unable to remove them.

I was able to work around this as follows:

1. Navigate to the "sys_user_has_role" table as already mentioned in this thread.

2. Filter the results down to the username affected.

3. Export the list as an XML file.

4. Using your XML editor of choice, locate the "<inherited>true</inherited>" entry and replace it with "<inherited>false</inherited>".

5. Save the changes and import the XML file back into the sys_user_has_role table.

6. You should now be able to freely delete the roles from the user.

I double-checked to ensure that this caused no obvious errors and confirmed that the user was no longer able to access the applications associated with the removed roles.

Hope this helps.

View solution in original post

Dubz · ‎01-23-2018

Hi Thomas,

You can try deleting them from the sys_user_has_role table directly. Either put sys_user_has_role.list in the application navigator or you can run the below script from a fix script and it should clean them up (comment out the deleteRecord line first to confirm your glide record is returning the right number of records).

deleteRecords();

function deleteRecords(){

var gr = new GlideRecord('sys_user_has_role');

gr.addQuery('user', 'insert user sys_id here');

gr.query();

var deleteCount = 0;

while(gr.next()){

gr.setWorkflow(false);

gr.deleteRecord();

deleteCount++

}

gs.print('records deleted: ' + deleteCount);

}

tom_hs2 · ‎01-23-2018

Hi David,

Unfortunately i'm not technical enough to use scripting (not handy i know). I am currently filling in until the business recruit a technical admin.

I tried the first option, but even from that table it would not let me delete. I haven't tried the scripting as i do not want to cause more damage. I thought there may have been a simpler way for such a general housekeeping task. Do you know why inherited roles cannot be removed?

issue is, they count towards our license consumption as i believe service now do not work on a concurrent license model. So i fear we may get charged when adding new users on, because we can't remove user roles no longer needed or with us.

Slawek_Radziewi · ‎04-13-2018

Hi

I tried script and it doesn't work.

When go to user record I can still see roles.

Any other idea?

Dubz · ‎04-13-2018

can you delete them directly from the roles tab on the user form? Tick all the boxes and then select delete from the dropdown box at the bottom of the list. Can't really help any further on this as i can't replicate the issue on my own instance.