Best Practice for removing inherited roles from groups??

jennif · ‎06-11-2019

"sys_user_has_role has entries that shouldn't exist"

Years ago In our early stages of go-live, we had configured the itil role to be inherited when a user was granted the it_project_manager role. Recently, we removed the inherited role (itil) from it_project_manager role, however the inherited role (itil) remained on the user record as still be inherited.

Steps to reproduce:

1. Removed inherited role from it_project_manager by using the slush bucket.

2. We had a group called ServiceNow PPS Project Managers that granted the it_project_manager role. However, when looking at the user record, itil is still showing "Granted By" the ServiceNow PPS Project Managers.

I found that looking at the role this way "Included in role" shows the sys_id of the role it previously was nestled in.

The quick (and dirty) way to clean these up in our Production environment, which took quite some time after hours; was to remove all roles from the ServiceNow PPS Project Managers group -- and again re-adding them. This corrected the role at the user level, etc

First question is, what is the proper method for removing inherited roles?

Second, Is this behavior meant OOB to avoid unexpected role revocation?

I plan to talk to my peer this afternoon on implementing Role Management V2 when we upgrade to Madrid in two weeks, however we need to look at the impact first prior to implementing and based upon how our roles are set up, it may be a hotter mess than anticipated. 😄

Thank you for your feedback and help in advance.

Dan Daugherty · ‎06-11-2019

I'd love to help, but I can't directly. I think you will get more visibility on this issue if you move/ask this question in the NOW Platform community instead of Security Operations.

Dan Daugherty · ‎06-11-2019

I did just do a quick run through by creating a new role, adding a contained role and then adding the new role to a new user. I was able to see the inherited role as expected on the new user. I then removed the inherited role from the new role, refreshed the new user and saw all the inherited roles from the user without any issue.

I have two suspicions:

1. There is a legacy workflow preventing removal of the inherited roles

2. Removing from the 'slush bucket' didn't fire the proper business rules to cleanup the removal properly.

Can you try to use the Role UI to remove the inherited role from the master role and check after?

jennif · ‎06-12-2019

Thank you Dan for the feedback -- I'm testing in my personal sandbox and could not duplicate the issue either. I was in our DEV instance trying to figure it out.

My peer was working on this, so I do not know what steps he took to remove the inherited roles. (Slushbucket or delete from list). Definitely something to visit with him.

Question -- happen to know the name of the business rule that triggers?

I did some more testing this morning in our DEV instance and believed I discovered the issue. itil was 'sooooooo inherited' in our environment, that I believe the groups all needed "refreshed" once the role was removed. Just removing at the role level did not seem to 'update' the group/users.

Thoughts?

Dan Daugherty · ‎06-12-2019

I looked and couldn't find a BR that fires when a delete happens for a contained role. We've reached the breadth of my knowledge in regards to this feature.

I'd go with my earlier suggestion and post this in the platform community since this is a platform provided future.