How to automate the process of adding users to appropriate groups and assigning roles in ServiceNow.

Ria
Tera Contributor

4 weeks ago

How to automate the process of adding users to appropriate groups and assigning roles that are not directly inherited from the group, based on the Reference or Mirror ID field. This field contain the name of a person who already has access to ServiceNow.

Once the request is approved:
If a Reference or Mirror ID is provided, the system should automatically add the user to the relevant group and assign the necessary roles.
After the user is added and roles are assigned, the request should be automatically closed.
If no Reference or Mirror ID is provided, access will need to be granted manually.

0 Helpfuls
  • 276 Views
3 REPLIES 3

Ankur Bawiskar
Tera Patron
Tera Patron

4 weeks ago

@Ria 

you can use a catalog item for this with some variables.

Your flow on that catalog item will mirror the details

Some variables

1) Mirror User (reference to sys_user) make it mandatory

2) String variable to show which groups this Mirror User belongs

3) String variable to show which roles does this group have

Then you can work on your flow

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Ria
Tera Contributor
In response to Ankur Bawiskar

4 weeks ago

@Ankur Bawiskar Currently, we already have a catalog item in place that includes a Reference or Mirror ID field. However, based on user requirements, we cannot make this field mandatory. The catalog item is configured to work through the Workflow Editor.

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ria

4 weeks ago

@Ria 

then you can use workflow run script and use this pseudo code to add groups and roles

After the run script you can close the RITM and REQ

// Inputs: 
//  - current: GlideRecord of the request item record (e.g. sc_req_item)
//  - current.variables.mirror_id assumed to have sys_id of the reference user
//  - current.requested_for or current.variables.requested_for points to new user sys_id

var mirrorUserSysId = current.variables.mirror_id; // Reference user sys_id
var newUserSysId = current.variables.requested_for || current.request.requested_for;

if (!mirrorUserSysId || !newUserSysId) {
    gs.info('Mirror user or new user not provided. Skipping role/group mirroring.');
    return;
}

// --- Mirror group memberships ---
var grGroupMember = new GlideRecord('sys_user_grmember');
grGroupMember.addQuery('user', mirrorUserSysId);
grGroupMember.query();

while (grGroupMember.next()) {
    var groupID = grGroupMember.group.toString();

    // Check if newUser is already member
    var grExists = new GlideRecord('sys_user_grmember');
    grExists.addQuery('user', newUserSysId);
    grExists.addQuery('group', groupID);
    grExists.query();
    if (!grExists.next()) {
        // Add new user to group
        var grNewMember = new GlideRecord('sys_user_grmember');
        grNewMember.initialize();
        grNewMember.user = newUserSysId;
        grNewMember.group = groupID;
        grNewMember.insert();
        gs.info('Added user ' + newUserSysId + ' to group ' + groupID);
    }
}

// --- Mirror roles assigned directly to the mirrorUser (excluding roles inherited from groups) ---
var addedRoles = [];

var grRoleMember = new GlideRecord('sys_user_has_role');
grRoleMember.addQuery('user', mirrorUserSysId);
grRoleMember.addQuery('inherited', false); // Only direct roles, not inherited from group
grRoleMember.query();

while (grRoleMember.next()) {
    var roleID = grRoleMember.role.toString();

    // Check if new user already has the role
    var grRoleCheck = new GlideRecord('sys_user_has_role');
    grRoleCheck.addQuery('user', newUserSysId);
    grRoleCheck.addQuery('role', roleID);
    grRoleCheck.query();

    if (!grRoleCheck.next()) {
        // Assign direct role
        var grNewUserRole = new GlideRecord('sys_user_has_role');
        grNewUserRole.initialize();
        grNewUserRole.user = newUserSysId;
        grNewUserRole.role = roleID;
        grNewUserRole.inherited = false;
        grNewUserRole.insert();
        addedRoles.push(roleID);
        gs.info('Added role ' + roleID + ' to user ' + newUserSysId);
    }
}

I hope I answered your question and you can enhance the logic further based on your requirement and developer skills

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls