Weekly Licensed User Access Review (90-Day Inactivity)

Server-Side Components/Scheduled Jobs/Licensed User Access Job/Weekly_LicensedUser_Access_Revoke_90Days.js

@@ -0,0 +1,46 @@
+(function executeWeeklyJob() {
+
+    var DAYS_INACTIVE_THRESHOLD = 90; // number of days without login before revocation
+    var licensedRoles = ['itil', 'sys_approver', 'admin', 'business_stakeholder'];
+
+    var roleGroupMap = {
+        'itil': 'ITIL Group',
+        'sys_approver': 'Approver Group',
+        'admin': 'Admin Group',
+        'business_stakeholder': 'Business Stakeholder Group'
+    };
+
+    var thresholdDate = new GlideDateTime();
+    thresholdDate.addDaysUTC(-DAYS_INACTIVE_THRESHOLD);
+
+    // Iterate through each licensed role
+    for (var i = 0; i < licensedRoles.length; i++) {
+        var role = licensedRoles[i];
+        var groupName = roleGroupMap[role];
+
+        var userRoleGR = new GlideRecord('sys_user_has_role');
+        userRoleGR.addQuery('role.name', role);
+        userRoleGR.addQuery('user.active', true);
+        userRoleGR.query();
+
+        while (userRoleGR.next()) {
+            var user = userRoleGR.user.getRefRecord();
+            var lastLogin = user.last_login_time;
+
+            // If user never logged in or inactive beyond threshold
+            if (!lastLogin || lastLogin < thresholdDate) {
+//                gs.info('Revoking access for user: ' + user.name + ' (' + role + ')');
+
+                // Remove from corresponding group
+                var groupGR = new GlideRecord('sys_user_grmember');
+                groupGR.addQuery('user', user.sys_id);
+                groupGR.addQuery('group.name', groupName);
+                groupGR.query();
+                while (groupGR.next()) {
+                    groupGR.deleteRecord();
+                }
+
+            }
+        }
+    }
+})();

Server-Side Components/Scheduled Jobs/Licensed User Access Job/readme.md

@@ -0,0 +1,14 @@
+# Weekly Licensed User Access Review (90-Day Inactivity)
+
+# Overview
+This scheduled job runs weekly and automatically revokes access for licensed users who have been inactive/last login for more than 90 days.  
+It ensures license compliance, cost control, and adherence to security policies.
+
+# Objective
+To identify active users holding licensed roles who have not logged into ServiceNow within the past 90 days and revoke their access by removing them from their respective groups.
+
+# Configuration Summary
+1. Threshold - 90 days since last login
+2. Frequency - Weekly
+3. Licensed Roles Checked - 'itil', 'sys_approver', 'admin', 'business_stakeholder'
+4. Groups Managed - ITIL Group, Approver Group, Admin Group, Business Stakeholder Group