Notification when user gets role by group

Go to solution
Alex Kraemer
Giga Guru

‎11-21-2022 04:16 AM

Hello together

 

We had an issue where users were given a role based on their group membership that they were not supposed to get.

 

Now we want to set up notifications if a user gets e.g. the role ITIL or admin and is not from company xy.
With a notification it is easily possible to catch this case via the sys_user_has_role table if the user is assigned the role directly. But if the user gets the role via a group (to which this role is attached and therefore inherited to the user), no real record is written to the sys_user_has_role table (you see a entry but this is not a insert or a update and therefore the notification is not triggered).


I also can't catch it via the sysevent-table because only the sys_id of the user and the group is written there.

 

Any suggestions how I can catch this use case and trigger a corresponding information?

 

Thanks for help and greetings
Alex

0 Helpfuls
  • 1,079 Views
1 ACCEPTED SOLUTION

Go to solution
Mike_R
Kilo Patron
Kilo Patron
In response to Mike_R

‎11-21-2022 07:35 AM

If a business rule would work, you can try a before insert rule on sys_user_group table

(function executeRule(current, previous /*null when async*/ ) {


    if (getGroupRoles(current.group)) {

        if (current.user.company.name != 'CompanyNameToAllowITIL') {

            current.setAbortAction(true);
            gs.addErrorMessage("Cannot add user to this group becuase it contains the itil or admin role.");

        }

    }


    function getGroupRoles(grp) {
        var gpRole = new GlideRecord('sys_group_has_role');
        gpRole.addEncodedQuery('role.nameINitil,admin^group=' + grp);
        gpRole.query();
        if (gpRole.hasNext()) {
            return true;
        } else {
            return false;
        }

    }


})(current, previous);

 

 

Mike
* My Collection of ServiceNow Stuff *

View solution in original post

5 REPLIES 5

Go to solution
Alex Kraemer
Giga Guru
In response to Bert_c1

‎11-22-2022 12:45 AM

Hi

Thanks for your answer.

The challenge is to notice such an allocation as soon as it happens. Thus, a notification or a rule that prevents this would be the desired action.
The roles on the groups are for our employees and there it makes absolute sense if they are assigned in this way. However, it is not allowed to assign people to these groups who do not belong to our company. So it is difficult to remove the roles from the groups.

Regards
Alex

0 Helpfuls