How to restrict external users so that tables on instance will not be visible to them

Spandana P · ‎03-09-2022

Hello,

We have a requirement wherein the external users/ customers shouldn't be able to see internal tables .

Now, the external user is able to see all the internal tables when typed sys_user.list, cmdb_ci.list etc. Though they are read-only for this user, we want it be restricted completely so that even the list view etc won't be shown to these external users.

(The roles we have given to external users are:)

Could anyone help me on this please?

johnfeist · ‎03-09-2022

Hi JP,

The simplest way to restrict that access is to go to the read ACLs for those tables and add a condition something like this

answer = !gs.getUser().hasRole('snc_external');

There is a caveat to that. Invoking absolute denial of access to a table could bring in the side effect of preventing the display of data values that are referenced in other tables (e.g. restricting sys_user could prevent displaying the caller). You can experiment in a sub prod instance to confirm.

Beyond that, it can get very intricate to limit that access. Any table that includes columns that are references to the restricted tables would then need all those references set to read only so that users are not able to go to the individual records.

Unfortunately, that's the only way I can think of.

Hope that helps.

:{)

Helpful and Correct tags are appreciated and help others to find information faster

Spandana P · ‎03-09-2022

Hi John,

Thanks for the reply.

I think this could help but the problem is the whole internal tables are being shown to external user. So it would not be easy to add the condition for that many read ACLs. Would it be possible for you to let me know incase there is any other implementation I could do?

Thanks,

JP.

johnfeist · ‎03-09-2022

Hi JP,

I think that you have the answer from the replies below. If you are going to allow external users to have additional roles that grant access to the internal tables, you will have to secure them individually.

Sorry that there's no easier way.

Hope that helps.

:{)

Helpful and Correct tags are appreciated and help others to find information faster

shloke04 · ‎03-09-2022

Hi @JP

As far as I know there is no easy way you can achieve this apart form going through ACL in place against each tables which you want to restrict.

So in short you need to go through Table Level ACL which is present and need to make sure none of the Table level ACL is allowing access to the tables for the user you do not want.

Reason being even if one ACL allows access user will get through it so along with new Read Table Level ACL you need to check for existing ACL as well:

You can use a Script to allow or deny ACCESS in ACL as per below:

if(gs.hasRole('snc_external')){
answer = false;
}else{
answer = true;
}

Note: Need to be mindful here that blocking access at table level will also restrict them from viewing the field data if you are referring any of the tables in some form exposed to external users.

Please validate it thoroughly in your lower prod instance and then proceed.

Please refer the thread below which talks on the same requirement:

https://community.servicenow.com/community?id=community_question&sys_id=ee5803eddb1cdbc01dcaf3231f9619fc

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke