License Allocation - Unable to remove roles from offboarded users

DanielCordick · ‎10-02-2019

We follow the best practice where we add users to groups and add the roles to the groups. We have integrated AD so when we offboard users we remove all groups and inturn they are removed from the SN groups once AD syncs. My problem is the Roles have stayed with the offboarded, inactive user,

I go to the user and try to remove the role by using the list collector but the list in blank.

however when i go to the sys_user_has_role table and filter down to the ITIL role. all the inactive users that have the ITIL role still attached show the role as active and are going against my license count.

i use the List collecter and add granted by column to see that it is Null for all the roles, I can't change state, i get a pop up saying security prevents this change/

How do i remove these roles if they are not inherited by anything and the user is no longer in any group that has roles?

Tony Chatfield1 · ‎10-02-2019

Have you investigated how the groups are removed when a user offboarded? via transform script or possibly a BR that runs when the transform script sets the user as inactive (or whatever user record update is pushed through from AD) ?

If I delete a user group relationship where the user has inherited roles, the roles are also removed so
it may just be a result of an underpinning script being 'setWorkflow(false)', meaning the groups are removed but not the related role records, or the transform map may be flagged not to run BR's. in either case a few simple tweaks should fix the issue.

First step should be identifying and resolving the cause,
and then a quick background script should tidy up the impacted records.

View solution in original post

Tony Chatfield1 · ‎10-02-2019

I would consider the inability to remove inherited roles manually as expected behaviour and perhaps the first step is to work out why this is occuring.
If you remove a users group (that applies roles) manually in SNC are the inherited roles updated correctly?
- it may just be that the integration\scripted removal process is not triggering BR's\updates to the user roles table.

Once you have identified why this is happening, you can fix the cause and clean up the residue.

You can either update ACL's so you can work around the issue and remove user roles by slushbucket or deleting them,
or script a clean up when the underlying issue is identified and fixed.

DanielCordick · ‎10-02-2019

Yes, If i remove a user from a group the inherited roles do remove themselves from the user. I have tested this by activating an offboarded user, adding back to the group they left and removing them from the group. The roles in that group are removed at the same time.

Problem is I can't remove user roles by slushbucket, as there are no roles to remove even though their profile says they have x amount of roles and all are inherited. But from where i don't know as they are not in any groups they should have no Roles attached to their user accounts as they have been offboarded. We don't apply roles to individual users, only to groups.

I guess i could try deleting a user and letting AD re sync them when the job is run.

Narendra Kota · ‎10-02-2019

Hi,

There is an Inheritance Map field to the Roles related list on the user record, can you please click the link on any row and check? It will tell you if the role was inherited from a group and a map to which roles, if still that exists. Also, take a look into sys_group_has_role table and check if the Groups and Roles are still present in this table. If so, please consider to clean the table once.

Hope this helps.
Mark Helpful, Correct based on the impact.

Thanks.

Tony Chatfield1 · ‎10-02-2019

Have you investigated how the groups are removed when a user offboarded? via transform script or possibly a BR that runs when the transform script sets the user as inactive (or whatever user record update is pushed through from AD) ?

If I delete a user group relationship where the user has inherited roles, the roles are also removed so
it may just be a result of an underpinning script being 'setWorkflow(false)', meaning the groups are removed but not the related role records, or the transform map may be flagged not to run BR's. in either case a few simple tweaks should fix the issue.

First step should be identifying and resolving the cause,
and then a quick background script should tidy up the impacted records.