Cannot remove roles for users that are "inherited", but the Role Inheritance Map shows no parent for the role.

Go to solution
Adam Geil
Kilo Sage

‎06-15-2020 01:14 PM

We are preparing to deploy CSM. An update set was pushed from dev to test. Now a large subset of users have been assigned the following roles:

  • snc_external
  • sn_apptmnt_booking.appointment_booking_user
  • sn_customerservice.customer
  • sn_esm_user
  • task_activity_reader

These roles are listed as Inherited, but the Role Inheritance Map does not show a parent, so they cannot be removed. I attempted to delete the sys_user_has_role record for these, but I do not have the option to delete (using admin role).


Steps to reproduce:
Initially, these individuals had the sn_customerservice.customer and sn_customerservice.customer_case_manager roles. I removed these roles, but the child roles listed above remained tied to the user accounts. I attempted to delete the sys_user_has_role records for these users/roles, but I don’t have the option to delete the record despite my account having the admin, user_admin, and security_admin roles.

  • 8,931 Views
1 ACCEPTED SOLUTION

Go to solution
Adam Geil
Kilo Sage
In response to Allen Andreas

‎06-20-2020 06:10 AM

Hey Allen,

I appreciate your suggestions!  

The final resolution was that HI had to run the above script for each sys_user_has_role record using their "maint" role in order to remove these orphaned child roles (this is what I'm referring to them as). 

We weren't able to find root cause, but I suspect it is tied to me moving an update set up to test out of order.

View solution in original post

18 REPLIES 18

Go to solution
DirkRedeker
Mega Sage

‎06-15-2020 02:05 PM

Hi

Having the "security _admin" role is not enough.

To use the force, you need to elevate roles. This can be done from the top bar in the classic UI.

Once you elevated rights to "security_admin" you should be able to remove and manage those rows in the UI.

Let me know if that answered your question and mark my answer as correct and helpful.

BR Dirk

0 Helpfuls

Go to solution
Adam Geil
Kilo Sage
In response to DirkRedeker

‎06-15-2020 02:21 PM

Hey Dirk,

The steps you provided are actually what I did. Apologies, I shouldn't have been lazy and actually typed out the steps instead of just saying I have that role when they are different things.

0 Helpfuls

Go to solution
Adam Geil
Kilo Sage

‎06-15-2020 02:23 PM

I should note that I also tried to edit this sys_user_has_role record by exporting the XML, changing the Inherited field to be false, and then importing the XML. I receive this error during the import, "Skipping record for table sys_user_has_role and id d02d1a441be13f80c6f9a7d4bd4bcb79 - permission denied."

0 Helpfuls

Go to solution
DirkRedeker
Mega Sage
In response to Adam Geil

‎06-15-2020 02:30 PM

Hi

OK, and did you also check, if the given roles are in some groups, where the user is allocated to?

It does not be caused by nesting roles.

Any role assigned to the groups, that User belongs to, are shown as inherited as well.

Check the groups of the user and review the roles assigned to the groups.

Let me know if that answered your question and mark my answer as correct and helpful.

BR Dirk

0 Helpfuls

Go to solution
Adam Geil
Kilo Sage
In response to DirkRedeker

‎06-17-2020 12:32 PM

Hey Dirk,

I doublechecked, and these users aren't in any groups (this is intentional). They also don't have a parent role that would cause the users to inherit the role in question.

Example Situation

User - Brandon

Role - sn_customerservice.customer

Possible parents for this role (per the sys_user_role_contains table):

  • sn_customerservice.partner
  • sn_customerservice.customer_case_manager
  • sn_customerservice.customer_admin
  • sn_customerservice.partner_admin

Brandon used to have the sn_customerservice.customer_case_manager role, so he also inherited the sn_customerservice.customer role. The sn_customerservice.customer_case_manager role was removed, but the sn_customerservice.customer role remained and is still listed as inherited. The Role Inheritance Map does not display a parent for the role either.

If I give Brandon back the sn_customerservice.customer_case_manager role then the Role Inheritance Map for the sn_customerservice.customer reflects that the sn_customerservice.customer_case_manager role is it's parent. When I remove the sn_customerservice.customer_case_manager role then we aree back to where we started with the sn_customerservice.customer role still showing as inherited but is missing its parent.

 

Screenshot 1

Shows the current role assignments, shows that the sn_customerservice.customer role inheritance count is at 1, and shows no parent role under the Role Inheritance Map.

find_real_file.png

 

Screenshot 2

Shows what happens when I reassign the sn_customerservice.customer_case_manager role to Brandon. The inheritance count for sn_customerservice.customer increases to 2, and the Role Inheritance Map now shows sn_customerservice.customer_case_manager as the parent.

find_real_file.png

 

Screenshot 3

Shows the current role assignments, shows the sn_customerservice.customer_case_manager role is no longer assigned, shows that the sn_customerservice.customer role inheritance count is back at 1, and shows no parent role under the Role Inheritance Map.

find_real_file.png

Preview file
487 KB
Preview file
522 KB
Preview file
487 KB
Preview file
464 KB
Preview file
466 KB
Preview file
466 KB
Preview file
336 KB
Preview file
466 KB
Preview file
522 KB
0 Helpfuls