License Allocation - Unable to remove roles from offboarded users

Go to solution
DanielCordick
Mega Patron
Mega Patron

‎10-02-2019 03:06 PM

We follow the best practice where we add users to groups and add the roles to the groups. We have integrated AD so when we offboard users we remove all groups and inturn they are removed from the SN groups once AD syncs. My problem is the Roles have stayed with the offboarded, inactive user,

I go to the user and try to remove the role by using the list collector but the list in blank.

however when i go to the sys_user_has_role table and filter down to the ITIL role. all the inactive users that have the ITIL role still attached show the role as active and are going against my license count.

i use the List collecter and add granted by column to see that it is Null for all the roles, I can't change state, i get a pop up saying security prevents this change/

How do i remove these roles if they are not inherited by anything and the user is no longer in any group that has roles?

 

0 Helpfuls
  • 1,372 Views
1 ACCEPTED SOLUTION

Go to solution
Tony Chatfield1
Kilo Patron

‎10-02-2019 08:32 PM

Have you investigated how the groups are removed when a user offboarded? via transform script or possibly a BR that runs when the transform script sets the user as inactive (or whatever user record update is pushed through from AD) ?

If I delete a user group relationship where the user has inherited roles, the roles are also removed so
it may just be a result of an underpinning script being 'setWorkflow(false)', meaning the groups are removed but not the related role records, or the transform map may be flagged not to run BR's. in either case a few simple tweaks should fix the issue.

First step should be identifying and resolving the cause,
and then a quick background script should tidy up the impacted records.

View solution in original post

5 REPLIES 5

Go to solution
DanielCordick
Mega Patron
Mega Patron
In response to Tony Chatfield1

‎10-03-2019 12:35 PM

I have had to enlist the help of SN, this is my background scriopt

deleteRecords();

function deleteRecords(){

var gr = new GlideRecord('sys_user_has_role');

gr.addQuery('user', 'bb8edc53db411f808eb7776b8c961968');

gr.query();


var deleteCount = 0;


while(gr.next()){

gr.setWorkflow(false);

gr.deleteRecord();

deleteCount++

}

gs.print('records deleted: ' + deleteCount);

}

it deletes the records however going back to the user they still have the roles attached to them

 

thanks for your help, will update whn SN gets back to me

0 Helpfuls