Apply read only role to all users except admins

Alex Saager · ‎10-28-2019

Hi there,

I've activated the read only role in our test and dev instances but wanted to know whats the best way to apply this role to all users except admins.

I've found this script on the doc site to add role to every user, so I now need to edit this to exclude admins...

var gr = new GlideRecord("sys_user");
gr.query(); 
while(gr.next()) { 
   if (gr.accumulated_roles.toString().indexOf(",self_service,") == -1) {
    gr.roles = gr.roles + ",self_service";
    gr.update(); 
  } 
}

Thanks,

Alex

Mark Roethof · ‎10-28-2019

I just tested with below code. Maybe it could be done smarter, but this was the idea I just got.

Note, add a group "Read only" first + attach the snc_read_only role to that group. Copy the sys_id of the Read only group into the script. (0a73bdda37638700a4d212c543990ed4 is my sys_id for the Read only group)

var grUser = new GlideRecord('sys_user');
grUser.addQuery('roles', '!=', 'admin');
grUser.addActiveQuery();
grUser.setLimit(10);
grUser._query();

while(grUser._next()) {
	var grMember = new GlideRecord('sys_user_grmember');
	grMember.initialize();
	grMember.setValue('user', grUser.getUniqueValue());
	grMember.setValue('group', '0a73bdda37638700a4d212c543990ed4');
	grMember.insert();
}

If my answer helped you in any way, please then mark it as helpful.

Kind regards,
Mark

---

LinkedIn
Community article list

Kind regards,

Mark Roethof

Independent ServiceNow Consultant

10x ServiceNow MVP

---

~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

View solution in original post

Alex Saager · ‎10-28-2019

Thanks Mark

I will do some testing in my developer instance and let you know how I get on 🙂

Alex

marz84 · ‎01-17-2024

Where would you put this script?

Also, suppose you want to make ALL groups read-only except for 1 admin group. Can we modify the script to apply read-only to all groups except admin?

marz84 · ‎01-18-2024

Hi Mark! What if I want to make ALL groups read-only with the exception of the Admin group. It doesn't seem feasible to put in the sys_id of every group...

Mark Roethof · ‎10-28-2019

The docs page about the snc_read_only role:
https://docs.servicenow.com/bundle/newyork-platform-administration/page/administer/user-administrati...

If my answer helped you in any way, please then mark it as helpful.

Kind regards,
Mark

---

LinkedIn
Community article list

Kind regards,

Mark Roethof

Independent ServiceNow Consultant

10x ServiceNow MVP

---

~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

Mark Roethof · ‎10-28-2019

With below query you could query which users have an admin role. You could use this in an Encoded Query.

var adminSysId = [];

var gr = new GlideRecord('sys_user_has_role');
gr.addQuery('role.name', 'admin');
gr.addQuery('user.active', true);
gr._query();

while(gr._next()) {
	adminSysId.push(gr.user.toString());
}

adminSysId.join(',');

gs.info('sys_idNOT IN' + adminSysId);

So after this script you could use something like:

gr.addEncodedQuery('sys_idNOT IN' + adminSysId);

If testing the query you originally posted, you might want to consider to right te results first to the log, or use a setLimit to test on a small set first. Something like:

gr.setLimit(10);

If my answer helped you in any way, please then mark it as helpful.

Kind regards,
Mark

---

LinkedIn
Community article list

Kind regards,

Mark Roethof

Independent ServiceNow Consultant

10x ServiceNow MVP

---

~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field