Notify inactive users and revoke access after 60 days of inactivity

AreebFayyaz1 · ‎04-10-2025

Story Description:
As a system administrator,
I want to send timely notifications to users who haven’t logged in for 30, 45, and 59 days,
So that they are informed of inactivity and can take action before their roles and group memberships are removed on the 60th day.
Acceptance Criteria:
Send email notifications to users who haven't logged in for:
30 days
45 days
59 days
On the 60th day of inactivity:
Remove all roles and group memberships from the user
Send a final notification:
Make the user inactive
“Your access has been revoked due to 60 days of inactivity. If this is a mistake, please contact the help desk.”

Medi C · ‎04-10-2025

Hi @AreebFayyaz1,

Please try the following:

Create a New Event Definition

Go to System Policy > Events > Event Registry
Click New
Fill out the form:
- Name: user.inactivity.notification
- Table: User [sys_user]
- Description: Triggered when a user hits 30, 45, or 59 days of inactivity

Create Notification for the Event

Navigate to System Notification > Email > Notifications
Click New
Fill out:
- Name: User Inactivity Notification
- Table: User [sys_user]
- When to send: Event is fired
- Event name: user.inactivity.notification
- Who will receive: User (Record)
- Subject: Inactivity Notice: ${event.parm1} Days
- Message HTML:

You have been inactive for ${event.parm1} days. Please log in to retain your access.

Create a Scheduled Script Execution (Scheduled Job) that runs daily to check user inactivity

(function() {
    var inactivityThresholds = [30, 45, 59, 60];
    var today = new GlideDateTime();
    var userGR = new GlideRecord('sys_user');
    userGR.addEncodedQuery('active=true^last_loginISNOTEMPTY');
    userGR.query();

    while (userGR.next()) {
        var lastLogin = userGR.getValue('last_login');
        var daysInactive = GlideDateTime.subtract(today, new GlideDateTime(lastLogin)).getDays();

        if (inactivityThresholds.indexOf(daysInactive) !== -1) {
            switch (daysInactive) {
                case 30:
                case 45:
                case 59:
                    sendNotification(userGR.sys_id, daysInactive);
                    break;
                case 60:
                    revokeAccess(userGR);
                    break;
            }
        }
    }

    function sendNotification(userId, days) {
        gs.eventQueue('user.inactivity.notification', new GlideRecord('sys_user').get(userId), days);
    }


    function revokeAccess(userGR) {
        // Remove Roles
        var roles = new GlideRecord('sys_user_has_role');
        roles.addQuery('user', userGR.sys_id);
        roles.query();
        while (roles.next()) {
            roles.deleteRecord();
        }

        // Remove Group Memberships
        var groups = new GlideRecord('sys_user_grmember');
        groups.addQuery('user', userGR.sys_id);
        groups.query();
        while (groups.next()) {
            groups.deleteRecord();
        }
        // Final Notification
        sendFinalNotification(userGR.sys_id);

        // Mark Inactive
        userGR.active = false;
        userGR.update();
    }

    function sendFinalNotification(userId) {
        var notify = new GlideRecord('sys_email');
        notify.initialize();
        notify.type = 'send-ready';
        notify.recipients = userId;
        notify.subject = `Access Revoked: 60 Days of Inactivity`;
        notify.body = `Your access has been revoked due to 60 days of inactivity. If this is a mistake, please contact the help desk.`;
        notify.insert();
    }
})();

If you found this helpful, please hit the thumbs-up button and mark as correct. That helps others find their solutions.