Notification when user gets role by group

Alex Kraemer · ‎11-21-2022

Hello together

We had an issue where users were given a role based on their group membership that they were not supposed to get.

Now we want to set up notifications if a user gets e.g. the role ITIL or admin and is not from company xy.
With a notification it is easily possible to catch this case via the sys_user_has_role table if the user is assigned the role directly. But if the user gets the role via a group (to which this role is attached and therefore inherited to the user), no real record is written to the sys_user_has_role table (you see a entry but this is not a insert or a update and therefore the notification is not triggered).

I also can't catch it via the sysevent-table because only the sys_id of the user and the group is written there.

Any suggestions how I can catch this use case and trigger a corresponding information?

Thanks for help and greetings
Alex

Mike_R · ‎11-21-2022

If a business rule would work, you can try a before insert rule on sys_user_group table

(function executeRule(current, previous /*null when async*/ ) {


    if (getGroupRoles(current.group)) {

        if (current.user.company.name != 'CompanyNameToAllowITIL') {

            current.setAbortAction(true);
            gs.addErrorMessage("Cannot add user to this group becuase it contains the itil or admin role.");

        }

    }


    function getGroupRoles(grp) {
        var gpRole = new GlideRecord('sys_group_has_role');
        gpRole.addEncodedQuery('role.nameINitil,admin^group=' + grp);
        gpRole.query();
        if (gpRole.hasNext()) {
            return true;
        } else {
            return false;
        }

    }


})(current, previous);

Mike
* My Collection of ServiceNow Stuff *

View solution in original post

Mike_R · ‎11-21-2022

Would a business rule to prevent this be better than a notification ?

Mike
* My Collection of ServiceNow Stuff *

Mike_R · ‎11-21-2022

If a business rule would work, you can try a before insert rule on sys_user_group table

(function executeRule(current, previous /*null when async*/ ) {


    if (getGroupRoles(current.group)) {

        if (current.user.company.name != 'CompanyNameToAllowITIL') {

            current.setAbortAction(true);
            gs.addErrorMessage("Cannot add user to this group becuase it contains the itil or admin role.");

        }

    }


    function getGroupRoles(grp) {
        var gpRole = new GlideRecord('sys_group_has_role');
        gpRole.addEncodedQuery('role.nameINitil,admin^group=' + grp);
        gpRole.query();
        if (gpRole.hasNext()) {
            return true;
        } else {
            return false;
        }

    }


})(current, previous);

Mike
* My Collection of ServiceNow Stuff *

Alex Kraemer · ‎11-22-2022

Hi Mike

What a great idee to check it from this side!

Have to change the table to sys_user_grmember and not it's not possible to add the user to the group if he isn't from our company.

Unfortunately, the message does not work because the edit mode then leads back to the group via the save.
But this is not a problem and can e.g. trigger an event, which then triggers a notification.

But thanks to your business rule it is no longer possible to add users to a group in which they do not belong.

Thanks and greetings
Alex

Bert_c1 · ‎11-21-2022

You should have the two plugins: 'Contextual Security: Role management' and 'Contextual Security: Role Management v2' activated in your instance. Those are activated on new instances. You can then go the the sys_user_has_role record, you can then access the 'Inheritance Map' from the list view of records there (add that column to the list view). Then you can see where the un-desired role is being added to the users. Remove the un-desired role from the group/role that includes it.