Business rule on Sys_user_has_role not working

Jaskaran Walia · ‎07-17-2018

I have a business rule on sys_user_has_role table to perform some actions. This BR is triggering when I grant any role to a user but it is not triggering when a user is added to a group that has a role. In either case, i.e. if you add a role to user or user to a group that has a role, a record is created in sys_user_has_role table but business rule is not behaving as expected.

I see this question has been asked before but not answered. Also, I know records are created in sys_user_grmember table and it has BR Group Member Add that creates record in sys_user_has_role table. However, no matter how a record is created in sys_user_has_role table, BR should trigger.

Jaskaran Walia · ‎07-19-2018

Hi Folks,

ServiceNow team came back with an answer!

Essentially what they said is as part of "Contextual Security Manager" plugin, when a user is added to a group, they insert records in sys_user_has_role table at database level and suppress any BR to run against this table! Weird design but that's what it is.

Reply from HI:

Referring to the Contextual Security Manager documentation: https://docs.servicenow.com/bundle/jakarta-platform-administration/page/administer/roles/reference/r_ContextualSecurity.html?cshalt=yes this plugin prevents duplicate entries with Contextual Security: Role Management V2. This plugin is active on your instance. As per the documentation, roles inherited from other roles are added as individual entries in the User Roles table [sys_user_has_role], potentially causing one role to have duplicate entries. Contextual Security: Role Management V2 eliminates these duplicate entries and prevents future duplicates. Its the same case as adding groups with the same roles containing it, without the plugin, the roles will be added to the sys_user_has_role record of the user and duplicate records will appear. With the plug installed, adding a group that contains roles that is already on the user's role list will not add a duplicate entry in the sys_user_has_role table, instead, the inheritance count is incremented. This plugin is activated on your instance. The description is of this plugin states: "Role Management Enhancements: prevent duplicate entries in sys_user_has_role for inherited roles, based on the value of the inh_count column" The documentation explains further: Contextual security and roles You can grant roles to users or groups. However, after installing the Contextual Security Manager, the roles field on the user record is no longer checked and no longer appears on your user and group forms. Instead, you must add roles to the Roles related list instead of to the user or group record. Solution Proposed/Investigation Summary: If the Contextual Security Manager plugin is activated on the instance, the BR's on the sys_user_has_role are not getting executed when the roles being added is coming from a Group. Only the BR's from sys_user and sys_user_grmember tables gets executed when adding a Group to a user record. The plugin prevents having duplicated roles in the sys_user_has_role table. When a particular role is already existing in the user's role list, and the role gets added again via the Group, the Inhertance count is incremented to reflect how many times that role was granted to the user. For your implementation, a possible workaround can be to add the BR on either the sys_user(after Insert/update) or sys_user_grmember which will go through the roles of the user.

View solution in original post

Moy1 · ‎07-17-2018

have you tried the BR to 'before'

Jaskaran Walia · ‎07-17-2018

Yes, I have tried that and even check update as well but no luck.

Moy1 · ‎07-17-2018

what is the script that you are running on triggering the business rule?

Jaskaran Walia · ‎07-17-2018

I can share the script but issue is not the script as I removed all the script and just logged a message I.e. gs.log but it still didnt trigger BR when u add user to a group that has role!