Prevent direct assignment of licensable roles to users

Maik Skoddow
Tera Patron
Tera Patron

‎11-20-2021 05:27 AM - edited ‎02-03-2023 10:04 PM

find_real_file.png

 

Starting with the Quebec release, Subscription Management provides you with the ability to monitor your user-based subscriptions by leveraging common user groups. Using these groups, you can manage your subscription consumption as part of your normal user management processes without having to manage security and entitlement separately. Therefore, it is a leading practice to assign roles to a group and add users to groups, so they can inherit the roles by the group. Avoid directly assigning roles to users whenever possible, as you have no control over subscription consumption that way. To be make sure that users are not assigned directly to roles which consume a license, this article introduces a proactive and a reactive approach.

 

 

         
Table of Contents

What are licensable roles?

 

In your ServiceNow instance exists a little-known but all the more exciting table license_role, which contains all ServiceNow roles with their associated license type:

 

find_real_file.png

 

After grouping column "Role Type" the follow types remain:

  • Admin 💲
  • Approver 💲
  • Business Stakeholder 💲
  • Fulfiller 💲
  • Requester 
  • Time Card User 💲

 

Except for the license type "Requester" all others are licensable.

 

 

Proactive approach 

 

Using this knowledge and a small Business Rule, a block can now be established to prevent a role that is not of type "Requester" from being assigned to a user. The script of the following Business Rule also takes into account the fact that roles may in turn contain roles requiring a license:

 

Table sys_user_has_role
Advanced true
When before
Insert true
Filter Conditions MaikSkoddow_1-1671370841592.png
Script 
(function executeRule(current, previous /*null when async*/) {
	function _getContainedRoles(strRole, arrRoles) {
		var _arrRoles = arrRoles || [strRole];
		var _grRoles  = new GlideRecord('sys_user_role_contains');

		_grRoles.addQuery('role.name', strRole);
		_grRoles.query();

		while(_grRoles.next()){
			if (!_grRoles.contains.nil()) {
				var _strContainedRole = _grRoles.contains.name.toString();
				
				_arrRoles.push(_strContainedRole);
				_getContainedRoles(_strContainedRole, _arrRoles);
			}
		}

		return new ArrayUtil().unique(_arrRoles);
	}


	var _strRoleName   = current.role.getDisplayValue();
	var _strUserName   = current.user.getDisplayValue();
	var _grLicenseRole = new GlideRecord('license_role');
	var _arrAllRoles   = _getContainedRoles(_strRoleName);

	_grLicenseRole.addEncodedQuery(
		'license_role_typeISNOTEMPTY^license_role_type.name!=requester^nameIN' +
		_arrAllRoles.join(',')
	);
	_grLicenseRole.setLimit(1);
	_grLicenseRole.query();

	if (_grLicenseRole.hasNext()) {
		gs.addErrorMessage(
			gs.getMessage(
				'Role "{0}" or one of its contained roles require a license and ' +
				'therefore cannot be assigned to user "{1}" directly. ' +
				'Instead use groups for role assignments.',
				[_strRoleName, _strUserName]
			)
		);
		current.setAbortAction(true);
	}

})(current, previous);

 

 

Now, each try to assign a role which is not of type "Request" will result in abort:

 

find_real_file.png

 

 

Reactive approach

 

As it is possible to import data without running Business Rules, you need an audit option for checking such direct role assignments on a regular basis. For this purpose, an Instance Scan check is the perfect solution.

 

You can create a Table Check with the following properties:

 

Table sys_user_has_role
Conditions MaikSkoddow_2-1671371357958.png
Advanced true
Script 
(function (engine) {
	var grLicenseRole = new GlideRecord('license_role');

	grLicenseRole.addQuery('sys_user_role', engine.current.getDisplayValue('role'));
	grLicenseRole.setLimit(1);
	grLicenseRole.query();

	if (grLicenseRole.next()) {
		if (!grLicenseRole.license_role_type.nil() && 
			grLicenseRole.license_role_type.id != 'requester')
		 {
			engine.finding.setCurrentSource(engine.current.user.getRefRecord());
			engine.finding.increment();
		}
	}
})(engine);

 

 

 

Further information

 

Subscription Management

Subscription Management is an application that allows you to manage subscription usage and make decisions on the number of subscriptions needed for your organization. It is critical to understand your subscription usage and adoption of your ServiceNow applications, as well as view your ServiceNow licenses across the organization.

 

Business Rules

A business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried. Use business rules to accomplish tasks like automatically changing values in form fields when certain conditions are met, or to create events for email notifications and script actions.

 

Instance Scans

The Instance Scan feature can help you find potential issues related to security, upgradability, manageability, user experience, and performance. You can use Instance Scans to enforce best practice implementations in your development cycle, release management, pre- and post-upgrades. The Instance Scan application is based on checks and a check is a rule that runs on tables, records, and metadata to detect issues.

  • 6,249 Views
Comments
PerV
Kilo Sage
‎11-21-2021 11:20 PM

This is great! Personally, I found this new way of managing licenses of subscriptions quite annoying, the previous way with user sets was way easier to maintain.

To decrease some of the manual effort I therefore created a small solution that adds users to certain "Subscription groups" automatically based on key roles. These subscription groups are then added as group to the respective subscription. Whenever a user is assigned a role (through group membership of course) a business rule on sys_user_has_role table checks if we need a group assignment for those roles (I set this up only for Per-user subscriptions) and adds the user to the specified groups. 

The solution needs some additions if a new license is added (create subscription group, add some lines in my script for group id and role id) but in general, it manages all else by itself.

This research that you cover in the article would be a great addition to my solution, thanks for your effort to describe it.

//Per

Sailesh2
Giga Expert
‎01-09-2022 07:48 AM

Hey Per,

Would you mind sharing code for the solution you have implemented to automatically add users to the subscription groups? I am working on the same but couldn't finish it.

Thanks

Sailesh

0 Helpfuls
Vasudevarao Tad
Tera Contributor
‎12-19-2022 01:11 AM

Hi Maik,
is it just managing roles or other benefits like licensing cost we get it if we give roles through groups  

0 Helpfuls
cynlink1
Tera Expert
‎06-13-2023 01:07 PM

Hello,

 

For the proactive approach for preventing the assignment of roles directly to users, how do you handle creating a new knowledge base which grants the 'knowledge_manager' role directly to the user listed in the Owner field?

 

cynlink1_0-1686686580601.png

 

0 Helpfuls
Version history
Last update:
‎02-03-2023 10:04 PM
Updated by:
Tera Patron
Contributors