Mass removing uninherited roles from users

Go to solution
jMarshal
Mega Sage
Mega Sage

‎07-05-2024 09:07 AM

I just completed a role audit of all of my users and have restructured our groups to assign roles instead of assigning them directly to users. I'd like to remove all uninherited (inherited=false) roles from all users that are imported from our LDAP integration. Does anyone have experience doing this? I'm thinking of building a filter/query string on sys_user_has_role and then just do a mass delete...would it be that easy?

0 Helpfuls
  • 651 Views
1 ACCEPTED SOLUTION

Go to solution
Sandeep Rajput
Tera Patron
Tera Patron

‎07-05-2024 09:15 AM

@jMarshal Technically yes, deletion on sys_user_has_role would do the job. However, please be mindful of those users who do not belong to any group. We use Explicit Roles plugin on our instance and by default users are created with snc_internal assigned to them. On the basis of these roles we either redirect the user to ESC portal or to the backend if they have any higher roles like itil.

 

If you are sure that all of your users are part of at least one group then you can run the delete script on sys_user_has_role. However, if this is not the case then you should be extremely cautious with the filters and deletion.

 

As suggested earlier, I recommend doing this exercise on a sub prod instance first, analyse the impact and then run the deletion using a Delete Job on production.

View solution in original post

3 REPLIES 3

Go to solution
Sandeep Rajput
Tera Patron
Tera Patron

‎07-05-2024 09:15 AM

@jMarshal Technically yes, deletion on sys_user_has_role would do the job. However, please be mindful of those users who do not belong to any group. We use Explicit Roles plugin on our instance and by default users are created with snc_internal assigned to them. On the basis of these roles we either redirect the user to ESC portal or to the backend if they have any higher roles like itil.

 

If you are sure that all of your users are part of at least one group then you can run the delete script on sys_user_has_role. However, if this is not the case then you should be extremely cautious with the filters and deletion.

 

As suggested earlier, I recommend doing this exercise on a sub prod instance first, analyse the impact and then run the deletion using a Delete Job on production.

Go to solution
jMarshal
Mega Sage
Mega Sage
In response to Sandeep Rajput

‎07-05-2024 09:32 AM

Thanks @Sandeep Rajput that affirms my thoughts! We also use explicit roles and I was planning on building the filter to exclude those roles (and some others parameters).

0 Helpfuls

Go to solution
Mark Roethof
Tera Patron
Tera Patron

‎07-05-2024 09:31 AM

Hi there,

 

It can indeed be so easy! Though... be carefull. You will also delete uninherited roles that do matter in that case. For example for integration users, mid server, out-of-the-box users with specific roles, or perhaps the admin user or a break the glass procedure user, etc..

 

Kind regards,

 

Mark Roethof

Independent ServiceNow Consultant

10x ServiceNow MVP

---

 

~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

LinkedIn