Cannot remove roles for users that are "inherited", but the Role Inheritance Map shows no parent for the role.

Go to solution
Adam Geil
Kilo Sage

‎06-15-2020 01:14 PM

We are preparing to deploy CSM. An update set was pushed from dev to test. Now a large subset of users have been assigned the following roles:

  • snc_external
  • sn_apptmnt_booking.appointment_booking_user
  • sn_customerservice.customer
  • sn_esm_user
  • task_activity_reader

These roles are listed as Inherited, but the Role Inheritance Map does not show a parent, so they cannot be removed. I attempted to delete the sys_user_has_role record for these, but I do not have the option to delete (using admin role).


Steps to reproduce:
Initially, these individuals had the sn_customerservice.customer and sn_customerservice.customer_case_manager roles. I removed these roles, but the child roles listed above remained tied to the user accounts. I attempted to delete the sys_user_has_role records for these users/roles, but I don’t have the option to delete the record despite my account having the admin, user_admin, and security_admin roles.

  • 8,948 Views
1 ACCEPTED SOLUTION

Go to solution
Adam Geil
Kilo Sage
In response to Allen Andreas

‎06-20-2020 06:10 AM

Hey Allen,

I appreciate your suggestions!  

The final resolution was that HI had to run the above script for each sys_user_has_role record using their "maint" role in order to remove these orphaned child roles (this is what I'm referring to them as). 

We weren't able to find root cause, but I suspect it is tied to me moving an update set up to test out of order.

View solution in original post

18 REPLIES 18

Go to solution
Adam Geil
Kilo Sage
In response to Allen Andreas

‎06-20-2020 06:10 AM

Hey Allen,

I appreciate your suggestions!  

The final resolution was that HI had to run the above script for each sys_user_has_role record using their "maint" role in order to remove these orphaned child roles (this is what I'm referring to them as). 

We weren't able to find root cause, but I suspect it is tied to me moving an update set up to test out of order.

Go to solution
Allen Andreas
Administrator
Administrator
In response to Adam Geil

‎06-20-2020 11:54 AM

Understood.

Thanks for the update.

If any reply throughout your thread was Helpful, please mark it as such.

Take care!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Go to solution
Jon G1
Kilo Sage

‎05-10-2022 06:00 PM

I had a similar problem.  Here's my solution to removing all roles for inactive users including orphaned roles:

 

//This script will attempt to remove all group memberships and all roles from inactive users with roles
var encQuery, logOnly;

logOnly = true;
encQuery = 'user.active=false'; //You can add personalized query parameters here.  user.active = false is already included below as a safeguard

removeAllRoles(encQuery)

function removeAllRoles(encQuery) {
    try {
        //Find inactive users who still have roles assigned
        var ga = new GlideAggregate('sys_user_has_role');
        if (encQuery) ga.addEncodedQuery(encQuery);
        ga.addQuery('user.active', 'false');
        ga.addAggregate('COUNT', 'user');
        ga.query();
        while (ga.next()) {
            //Loop through the users
            var userId = ga.user.getValue();
            gs.log('USER: ' + ga.user.name + ' - ' + userId);
            gs.log('#Removing group assignments');

            //Remove group memberships to remove roles inherited from groups.
            var grMember = new GlideRecord('sys_user_grmember');
            grMember.addQuery('user', userId);
            grMember.query();

            while (grMember.next()) {
                gs.log('>>' + grMember.group.name);
            }
            if (!logOnly) grMember.deleteMultiple();

            //Remove any directly assigned roles
            gs.log('#Removing uninherited roles');
            var userRoles = new GlideRecord('sys_user_has_role');
            userRoles.addQuery('inherited', false);
            userRoles.addQuery('user', userId);
            userRoles.query();
            while (userRoles.next()) {
                gs.log('>>' + userRoles.role.name);

            }
            if (!logOnly) userRoles.deleteMultiple();

            //Removed orphaned roles: these roles were not removed after removing group memberships and direct role assignments.
            gs.log('#Removing orphaned roles'); 
            var orRoles = new GlideRecord('sys_user_has_role');
            orRoles.addQuery('user', userId);
            orRoles.query();
            var orphanedRoleCount = orRoles.getRowCount();
            if (orRoles.hasNext()) {
                gs.log('>>Found ' + orphanedRoleCount + ' orphaned roles. Setting inherited to false & deleting');
            }
            orRoles.setValue('inherited', false);
            if (!logOnly) {
                orRoles.updateMultiple();
                orRoles.deleteMultiple();
            }

        }

    } catch (er) {
        gs.log('ERROR: ' + er);
    }

}

Go to solution
vijayakolli
Tera Contributor

‎03-17-2025 07:34 AM

var roleRecord = new GlideRecord("sys_user_has_role");
roleRecord.addEncodedQuery('<add inactive / deleted roel record query >');
roleRecord.query();

gs.print("roleRecord " + roleRecord.getRowCount());
while (roleRecord.next()) {
roleRecord.inherited = false;
roleRecord.update();
roleRecord.deleteRecord();

}
0 Helpfuls