How to remove users from snc_external?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2023 09:06 AM
Hey all,
I have four users in our system that are listed under snc_external (why, I have no idea because they shouldn't be there), however, I cannot remove them. If I go under the snc_external role, it will not allow me to remove any of them. If I try and go under the user themselves, it will not allow me to remove the snc_external role from their user profile.
I have tried this both as an admin and as an elevated role of security_admin.
Can anyone tell me how I can remove my four users from the snc_external role? Also, I do not want to remove the role itself, as I believe you cannot do this, but just the users from the role.
Thank you!
Mat
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2023 09:18 AM
Hello,
I believe the below plug-in
"Explicit Roles plugin"
Is activated in your instance as a result both the roles get added to users .
Snc_internal for users internal to system
And snc_external for external users of system who access from outside.
The only way to remove it would be the plug in deactivation which as far as I can recall is not possible.
I believe if someone has activated this then definitely they would have had some purpose for that. So , check with senior developers or consultant in your company n get the idea why they activated in first place.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2023 08:46 AM
Creative,
You are correct that they have the Explicit Roles plugin installed. I did notice that and did read up on the ServiceNow document on that. However, it didn't help me to understand how to remove the users from the snc_external role.
If I knew how they were added to the snc_external role, that may help me. What is weird, however, is it said in the documentation that a user cannot be a part of the snc_internal and snc_external roles at the same time. However, these four users are. So, I don't get it. 😞
I don't want to remove them from the snc_internal role and then try to readd them and find out that it denies (which is should) them to be added. Then that will create even more issues.
I'm wondering if I should delete one of the user's profile and then re-add them to see if it will then only add them to snc_internal. Because if I can't remove them from the role directly, I'm not sure how else to handle this.
Thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 12:05 AM
I take it your issue is with removing the role from the user rather than removing the Explicit Roles plugin.
If you have not already read it, the following link is to KB0965712 - Role Management FAQ which includes some really interesting information on role management, including "Why I cannot delete roles for a user"
I hope this is of some assistance.
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 01:20 AM
Hello @Mat Gdowski1
Have a look -https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0748329
The Explicit Roles plugin includes a glide.security.explicit_roles.internal_user_blacklist property to exclude user types from ever becoming snc_internal. If there are no users types in the glide.security.explicit_roles.internal_user_blacklist table, the Contextual Security Manager assigns all users the snc_internal role by default.
If there are classnames in the blacklist table, and if the sys_user class type is in the blacklist table, CSM assigns the snc_external role.
if my answer has helped with your question, please mark my answer as accepted solution and give a thumb up.
Regards,
CB
