Users are removed from the groups the day after they were assigned??Please guide me on this to fix??

Divya K1 · ‎12-14-2022

Hi All,

We have an issue : "we ran into an issue where itil licenses were being removed the day after they were assigned. For example, I’ve added a person on a Monday and if they didn’t log in within 24 hours the license was removed."

Analysis : I troubleshoot the issue and i found there is one schedule job written and this ran daily 2 am est. Here is the script. Can any one help me how to fix this issue ( we ran into an issue where itil licenses were being removed the day after they were assigned. For example, I’ve added a person on a Monday and if they didn’t log in within 24 hours the license was removed.")

Script :

var excUsers = gs.getProperty('users.excluded.from.password.reset');
var usersGr = new GlideRecord("sys_user");
//usersGr.addEncodedQuery("sys_created_onRELATIVELT@dayofweek@ahead@30^last_loginISEMPTY^ORlast_loginRELATIVELT@dayofweek@ahead@30");
usersGr.addQuery('user_name', 'NOT IN', excUsers);
usersGr.addEncodedQuery("sys_created_onRELATIVELT@dayofweek@ago@60^active=true^last_login_timeRELATIVELT@dayofweek@ago@60^ORlast_login_timeISEMPTY");
usersGr.query();
//gs.log(usersGr.getRowCount());

while(usersGr.next()){
//gs.log('user='+usersGr.user_name);
var user_groupGr = new GlideRecord("sys_user_grmember");
user_groupGr.addQuery("user", usersGr.sys_id);
user_groupGr.query();
//gs.log(user_groupGr.next());
if(user_groupGr.next()){
user_groupGr.deleteMultiple(); // when removing user from groups , the roles are also removed
}

}

Elijah Aromola · ‎12-14-2022

I see, that is because you have "last login time is empty" so if they don't login at all, this is included. I would change your filter to:

sys_created_onRELATIVELT@dayofweek@ago@60^active=true^last_login_timeRELATIVELT@dayofweek@ago@60^last_loginISNOTEMPTY^NQsys_created_onRELATIVELT@dayofweek@ago@60^active=true^last_login_timeISEMPTY^ORDERBYDESClast_login_time

This should find users who:

Created 60 or more days ago
Active is true
Last login time is not empty and is 60 or more days ago

OR

Created 60 or more days ago
Active is true
Last login time is empty

View solution in original post

Elijah Aromola · ‎12-14-2022

That seems like a very short period of time to revoke a license either way. But this is more of a process question, what is the business requesting?

Divya K1 · ‎12-14-2022

Now the business requesting that if any user has itil license provided today and if they didnt login with in 60 days.. users should not remove from groups, roles.

Do i need to modify this condition :

usersGr.addEncodedQuery("sys_created_onRELATIVELT@dayofweek@ago@60^active=true^last_login_timeRELATIVELT@dayofweek@ago@60^ORlast_login_timeISEMPTY");

Please guide me

Elijah Aromola · ‎12-14-2022

The condition in your script is finding users who were created before 60 days ago and haven't signed on in the last 60 days. Is this the expected functionality?

Divya K1 · ‎12-14-2022

Hi Elijah,

Yes, currently this is working but what happening is when we create user and provide itil license to new user on friday. if the script runs 2am ist, with in one day if user wont login, it is removing user from the groups and roles.. so, we need to prevent this?

Elijah Aromola · ‎12-14-2022

I see, that is because you have "last login time is empty" so if they don't login at all, this is included. I would change your filter to:

sys_created_onRELATIVELT@dayofweek@ago@60^active=true^last_login_timeRELATIVELT@dayofweek@ago@60^last_loginISNOTEMPTY^NQsys_created_onRELATIVELT@dayofweek@ago@60^active=true^last_login_timeISEMPTY^ORDERBYDESClast_login_time

This should find users who:

Created 60 or more days ago
Active is true
Last login time is not empty and is 60 or more days ago

OR

Created 60 or more days ago
Active is true
Last login time is empty