- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-23-2018 05:18 PM
We'd like to ensure that allocated roles as closely as possible reflect our active users of ServiceNow, as this allows us to manage our licensing commitment. This can be achieved by automated provisioning and de-provisioning of roles.
This article provides code samples to:
- Use a scheduled job to de-provision the ITIL role from users that haven't logged in for 30 days.
- Use a single sign-on script to provision the ITIL role for users as they log in.
Role de-provisioning
We'll use a scheduled job to de-provision roles. This job checks which users haven't logged in for 30 days, and removes the ITIL role from their account.
var userrole = new GlideRecord("sys_user_has_role");
userrole.addQuery("role.name", "ITIL");
userrole.addQuery("role.inherited", false);
userrole.addQuery("user.last_login_time", "<", gs.daysAgoStart(30));
userrole.deleteMultiple();Role provisioning
We're using the Multi-Provider SSO module and so we're using a single sign-on script to add the ITIL role to users accounts when they login. This particular example wraps the MultiSSO_SAML2_Update1 single sign-on script because we use SAML authentication however you can wrap other single sign-on scripts in the same way.
gs.include("MultiSSO_SAML2_Update1");
var MultiSSO_SAML2_MyOrg = Class.create();
MultiSSO_SAML2_MyOrg.prototype = Object.extend(new MultiSSO_SAML2_Update1(), {
loginUser : function (nameId, eventLogParm2) {
// Wrap around the typical loginUser process
var userName = MultiSSO_SAML2_Update1.prototype.loginUser.call(this, nameId, eventLogParm2);
if (!userName) return userName;
// Check if the role exists already
var userrole = new GlideRecord("sys_user_has_role");
userrole.addQuery("user.user_name", userName);
userrole.addQuery("role.name", "ITIL");
userrole.query();
if (userrole.getRowCount() == 0) {
// Provision the role
this.logDebug("Adding ITIL role to " + userName);
// get the user sys_id
var user = new GlideRecord("sys_user");
user.addQuery("user_name", userName);
user.query();
user.next();
var userSysId = user.sys_id;
// add the role
userrole.newRecord();
userrole.user = userSysId;
userrole.setDisplayValue("role", "ITIL");
userrole.insert();
}
return userName;
}
});Once you've created the single sign-on script, go to Multi-Provider SSO, Identity Providers, select your one, Advanced \ Single Sign-On Script, and change it to point to MultiSSO_SAML2_MyOrg.
