Best Practice for removing inherited roles from groups??

jennif · ‎06-11-2019

"sys_user_has_role has entries that shouldn't exist"

Years ago In our early stages of go-live, we had configured the itil role to be inherited when a user was granted the it_project_manager role. Recently, we removed the inherited role (itil) from it_project_manager role, however the inherited role (itil) remained on the user record as still be inherited.

Steps to reproduce:

1. Removed inherited role from it_project_manager by using the slush bucket.

2. We had a group called ServiceNow PPS Project Managers that granted the it_project_manager role. However, when looking at the user record, itil is still showing "Granted By" the ServiceNow PPS Project Managers.

I found that looking at the role this way "Included in role" shows the sys_id of the role it previously was nestled in.

The quick (and dirty) way to clean these up in our Production environment, which took quite some time after hours; was to remove all roles from the ServiceNow PPS Project Managers group -- and again re-adding them. This corrected the role at the user level, etc

First question is, what is the proper method for removing inherited roles?

Second, Is this behavior meant OOB to avoid unexpected role revocation?

I plan to talk to my peer this afternoon on implementing Role Management V2 when we upgrade to Madrid in two weeks, however we need to look at the impact first prior to implementing and based upon how our roles are set up, it may be a hotter mess than anticipated. 😄

Thank you for your feedback and help in advance.

Eric Feron · ‎06-18-2019

Jennif,

did you get a good answer to this from the Platform Community?

Thanks.

diannemcintosh · ‎04-26-2021

Is there a best practice for removing inherited roles? Will there be issues with upgrades if we decide to do this as a company?

Allen Andreas · ‎04-26-2021

Hi,

Can you give a bit more information?

As far as removing inherited roles, once the role is removed from the "main role" it was nested under (which would have made it an inherited role, outside of a group inheritance)...the role is subsequently removed from the user automatically.

Example:

I have roles named: "test.mainrole" and "test.subrole".
test.subrole is nested within test.mainrole.
I give test.mainrole to User A...User A gains test.mainrole and also test.subrole with test.subrole being listed as "inherited = true".
Later...I want to remove test.subrole from being nested within test.mainrole so I navigate to my instance roles and remove test.subrole from being contained within test.mainrole.
The moment I do that...test.subrole is then automatically removed from any user who inherited it via test.mainrole.

So...with that said, once the business decision is to remove that and you've reviewed the level of impact (so analysis done on the users who have it today via inheritance and the outcome of removing it)...then you would simply remove it as a nested role of the "role" or "roles" that contain it and the system will assist from there.

The same outcome is had for groups who have a role which contains other roles and you wish to remove those other nested roles as well. Once it's removed from the main role that contained it, it will auto-strip the role from the group....thus auto-stripping it from the group members as well. All automatically.

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Chris McDevitt · ‎04-27-2021

All,

I'm glad that Eric bumped this back up! Because I just ran into this.... again.

One big tip; make sure you are on Contextual Security Role Management V2. (or whatever the current version is when you read this). That will speed things up.