Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Prevent duplicate entries with Contextual Security: Role Management V2

Prevent duplicate entries with Contextual Security: Role Management V2

Roles inherited from other roles are added as individual entries in the User Roles table [sys_user_has_role], potentially causing one role to have duplicate entries. Contextual Security: Role Management V2 eliminates these duplicate entries and prevents future duplicates.

Eliminate duplicate entries through inheritance count

Contextual Security: Role Management V2 uses the Inheritance Count (inh_count) column to track the number of times a role is inherited from another role or group. In the User Roles [sys_user_has_role] table, a user can inherit a specific role only one time, eliminating duplicate entries. The Inheritance Count (inh_count) column is read-only and calculates the number of times the user inherits a role.

Activation changes

Contextual Security: Role Management V2 is automatically installed on new instances and can be activated for upgrades. When activated, Contextual Security: Role Management V2 replaces both Contextual Security and Contextual Security: Role Management Enhancements.

When Contextual Security: Role Management V2 is activated, the following columns are deprecated, but remain in the User Roles table for backward compatibility:
  • granted_by (used only by Role Delegation)
  • included_in_role
  • included_in_role_instance
Caution: If these columns are in use in any custom scripts on your instance, do not upgrade to Role Management V2.

Visualize role inheritance through the Role Inheritance Map

The Role Inheritance Map displays a visual representation of inherited roles. You can use this map to understand the roles represented in the Inheritance Count (inh_count) column. To view the Role Inheritance Map, configure the User Roles [sys_user_has_role] table to display the Role Inheritance Map column.
Figure 1. Role Inheritance Map

Upgrade to Contextual Security: Role Management V2

Contextual Security: Role Management V2 is automatically installed on new instances. You can upgrade from Contextual Security: Role Management to Contextual Security: Role Management V2 to eliminate duplicate roles in the User Roles table and prevent future duplicates.

Before you begin

Role required: admin

About this task

If not already active, Contextual Security: Role Management V2 activates these related plugins.
Table 1. Plugins for Contextual Security: Role Management V2
Plugin Description
Contextual Security: Role Management V2

[com.glide.role_management.inh_count]

Prevents duplicate entries in the User Roles [sys_user_has_role] table.
Contextual Security: Role Management V2 REST API

[com.glide.role_management.inh_count.rest_api]

Enables API functionality for role management.

Before upgrading from Contextual Security: Role Management to Contextual Security: Role Management V2, test the results of an upgrade by running the script. The script returns a list of changes that an upgrade will perform. If the changes are acceptable, install the Contextual Security: Role Management V2 plugin. If the changes are not acceptable, do not install the Contextual Security: Role Management V2 plugin. Alternatively, you can perform the upgrade and then manually make any necessary changes.

Procedure

  1. Test the impact of an upgrade prior to upgrading by running the following script.
    1. Navigate to System Definition > Scripts - Background.
    2. Run the following script in global scope.
      new RoleManagementVerify().verifyInheritedRoles();
      For large sys_user_has_role tables, the execution may take up to several hours to complete. Do not edit or add user roles during this time.
      Example result based on test data:
      *** Script: 2016-12-01 19:58:54 Starting checking of inherited roles for all users... 
      *** Script: User: itam, inherited roles to be ADDED: financial_mgmt_user 
      *** Script: User: bernard.laboy, inherited roles to be DELETED: api_analytics_read,pa_viewer,rest_api_explorer,a123 
      *** Script: User: bernard.laboy, inherited roles to be ADDED: dependency_views 
      *** Script: Number of inherited-role records in sys_user_has role, current: 260, after re-calculation: 258 
      *** Script: Number of users with discrepancies for inherited roles: 2 
      *** Script: 2016-12-01 19:58:55 Finished checking of inherited roles for all users!
    3. Evaluate the script results to determine whether the proposed changes are acceptable.
  2. Activate the Contextual Security: Role Management V2 plugin.
    1. Navigate to System Definition > Plugins.
    2. Find and click the plugin name.
    3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
    4. Click Activate.

Result

After activating Role Management V2, the changes outlined in the script result are enacted. The Inheritance Count (inh_count) column in the User Roles table is read-only and automatically reflects the number of times the user inherits a role.

Enable role auditing with Contextual Security: Role Management V2

Set a system property to enable the Audit Roles table to create audit records related to user roles.

Before you begin

Role required: admin

About this task

When enabled, the Audit Roles [sys_audit_role] table maintains changes to user records. For more information about role audits, see Audit user roles. If the Contextual Security: Role Management V2 [com.glide.role_management.inh_count] plugin is installed, you must set a system property to true to enable role auditing.

Procedure

  1. Navigate to the System Properties [sys_properties] table.
  2. Add the glide.role_management.v2.audit_roles system property and set it to true.

    If the Contextual Security: Role Management V2 [com.glide.role_management.inh_count] plugin is installed, setting this property to true enables the Audit Roles [sys_audit_role] table to create records when user roles change.