inactive user == completely locked out? (Inactive vs Locked Out)

geoffluk · ‎02-28-2018

I am a bit of a dunce on this topic, so please bare with me.

Lately we've been having an issue where users who have been marked as Inactive are unable to contact our service desk at all.

From all of the reading I have done, I have gathered the following:

An active user is completely inaccessible in the system - cannot login, cannot access service portal, and cannot send emails into the platform (provided that SN can match the email address to an existing user who is Inactive).

A locked out user usually cannot email into SN, but by changing the sys_property "glide.pop3.process_locked_out" to "true", so a person who has been locked out can at least still email in.

What I am not fully clear about is what is the actual difference between an inactive user and a locked out user? Just the license count? If glide.pop3.process_locked_out is set to false, then at least for contact purposes an inactive user and a locked out user are similar - they cannot login, they cannot access the service portal (or CMS), and they cannot send emails into ServiceNow for processing.

When would it be more appropriate to set one over the other?

Active = true, Locked Out = true

vs

Active = false, Locked Out = true

Thanks!

Michael Fry1 · ‎02-28-2018

There is an out of the box business rule that controls all of that for you. The rule is named Lock Out Inactive Users.

Whenever active changes to false, the rule sets Locked out to true. So if Active is False, Locked Out will be true.

geoffluk · ‎03-01-2018

We already disabled that Business Rule, so that inactive users aren't automatically locked out. As a safety measure we've also set the glide property glide.pop3.process_locked_out to "true" so that even if a user is locked out they can at least email into the service desk.

But what I was really wondering is if it is better to set users as inactive versus locking them out? Or when would it be better to have one situation over other? i.e. when is it better to set user to inactive, versus active but locked out?

Michael Fry1 · ‎03-01-2018

If a User is locked out - they can't login. They could, with the property change, still send emails.

If a User is inactive, they don't show in choice lists. Most choices, like Caller on the incident table, don't show inactive users so you can't open a ticket for someone that's inactive.

Typically a user changes to inactive when they leave the organization and as such are then locked out so they can't login. By disabling the business rule, are you trying to allow inactive users the ability to still login? Seems like something not worth messing with.