ServiceNow: Remove a Role from a Large User Group Without Timeout Issues
Managing roles in large ServiceNow environments can sometimes lead to performance challenges. One common issue occurs when attempting to remove a role from a group containing thousands of users.
Recently, I encountered a situation where a group had more than 20,000 users and an incorrect role had been assigned. Attempting to remove the role through the ServiceNow UI repeatedly resulted in timeout errors.
This article explains the issue and the approach used to safely remove the role without causing performance problems.
The Problem
A role was mistakenly assigned to a large ServiceNow group containing more than 20,000 users. The role also contained several child roles, which expanded the number of inherited permissions across the platform.
Attempts to remove the role through the ServiceNow UI or via a synchronous Fix Script consistently resulted in timeout errors.
The main challenge was that removing the role triggered role recalculations for thousands of users at once.
Why Timeout Happens
When a role is removed from a group, ServiceNow must re-evaluate role inheritance for every user in that group.
The typical inheritance flow looks like this:
User ↓ User Group ↓ Group Role (sys_group_has_role) ↓ Inherited Roles ↓ User Role Updates
When a group has tens of thousands of users, this recalculation can exceed request execution limits and cause timeouts.
The Solution: Enable Asynchronous Role Updates
ServiceNow provides a system property that allows group role updates to run asynchronously instead of within the user session.
Enable the following system property:
glide.ui.schedule_slushbucket_save_for_group_roles = true
When this property is enabled, role changes are processed through background jobs rather than the UI request thread.
This prevents timeout errors when modifying roles on very large groups.
Optional Fix Script for Role Removal
If automation is required, the role can be removed by deleting the relationship record in the sys_group_has_role table.
var groupName = 'Your_Group_Name';
var roleName = 'role_a';
var group = new GlideRecord('sys_user_group');
group.addQuery('name', groupName);
group.query();
if (group.next()) {
var role = new GlideRecord('sys_user_role');
role.addQuery('name', roleName);
role.query();
if (role.next()) {
var groupRole = new GlideRecord('sys_group_has_role');
groupRole.addQuery('group', group.sys_id);
groupRole.addQuery('role', role.sys_id);
groupRole.query();
while (groupRole.next()) {
groupRole.deleteRecord();
gs.info('Removed role ' + roleName + ' from group ' + groupName);
}
} else {
gs.info('Role not found: ' + roleName);
}
} else {
gs.info('Group not found: ' + groupName);
}
This script removes the group-role relationship directly from the platform.
What Happens After Removing the Role
Once the group-role relationship is removed, ServiceNow automatically recalculates role inheritance for users in the background.
If a user no longer inherits that role through another group or direct assignment, the role will be removed from their user record.
This recalculation is handled asynchronously when the system property mentioned earlier is enabled.
Best Practices for Large Role Changes
- Enable asynchronous processing for group role updates.
- Test role changes in a lower environment before applying them in production.
- Monitor background jobs when performing role changes affecting large groups.
- Avoid making large role changes during peak platform usage.
Common Search Queries This Article Solves
This guide helps ServiceNow administrators and developers who encounter issues such as:
- ServiceNow remove role from large group timeout
- ServiceNow group role removal performance issue
- ServiceNow role inheritance recalculation slow
- ServiceNow sys_group_has_role deletion script
- ServiceNow removing roles from large groups
Conclusion
Removing roles from large groups in ServiceNow can cause performance issues if the platform attempts to process all role recalculations within the same request.
By enabling asynchronous role updates and carefully removing group-role relationships, administrators can safely perform role changes even in environments with tens of thousands of users.
Understanding how role inheritance works in ServiceNow helps prevent unexpected performance problems during access management changes.
0 comments:
Post a Comment