Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Limit Service Portal access only to external users

dcikovic
Kilo Explorer

15 hours ago

Hi, I want to build new use case for organization where external users (users outside the organization) will have access only to the newly created Portal, but at the moment those external users have access to the ServiceNow Homepage and can see some applications and modules. What I have done so far:

 

  1. I've created new role: external_users 
  2. I've created new group: External Users and assigned role from step1
  3. I've added new user to the group, and assigned to the group from step2

When user logs in into ServiceNow (my.instance-now.com/now/nav/ui/home), user can see and enter some modules and do some actions.

dcikovic_0-1764166797328.png

But I want to avoid this because I don't want allow users do any action except on external Portal instead (my.instance-now.com/external). Something like this (this is just empty Portal, nothing added to it at the moment).

dcikovic_1-1764167134899.png

If I give direct link to the external Portal, users can still modify URL and access homepage.

I've tried working with ACLs, but not sure if I'm doing it right, I've set some rules to sys_ui_page, sys_app, sys_module to forbid read access to UI pages, but doesn't work as expected.

Any help is appriciated! Thanks


 

0 Helpfuls
  • 324 Views
3 REPLIES 3

Kieran3
Tera Contributor

8 hours ago - last edited 8 hours ago

Hi @dcikovic 

 

Ensure you give the the user snc_external role. As stated in the documentation:

"External users must obtain, at minimum, the snc_external role. The snc_external role indicates that the user is external to your organization. They should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles that inherit the snc_external role. By default, users with the snc_external role cannot access:
  • Tables without the role that inherits the snc_external role or the public role.
  • Non-record type resources, such as processors and UI pages without granting access to the snc_external role or a role that inherits the snc_external role.
  • Platform Analytics dashboards."

Also ensure that the portal is set to public in the page configuration (as seen here)

 

Let me know if this helps 🙂

Anupam1
Mega Guru

8 hours ago

Hi @dcikovic ,

 

Here's a robust, multi-layered strategy to enforce strict access to only the external portal (/external) for users with the external_users role:

 

 Strategy: Lock External Users to /external Portal Only

  1. Create a Login Interceptor Script

Use a Global UI Script or Login Interceptor to redirect users with the external_users role to /external and block access to /nav/ui/home.

(function executeRule(current, gUser, gSession, gRequest, gResponse, gProcessor, gLog, gSNC) {

  var user = gs.getUser();

  if (user.hasRole('external_users')) {

    var requestedURL = gRequest.getRequestURI();

    if (!requestedURL.startsWith('/external')) {

      gResponse.sendRedirect('/external');

    }

  }

})(current, gUser, gSession, gRequest, gResponse, gProcessor, gLog, gSNC);

This ensures that even if they try to access /nav/ui/home, they’ll be forcibly redirected to /external.

 

  2.  Block UI Pages via ACLs

You were on the right track with ACLs. Here’s how to secure them more Effectively:

For sys_ui_page ACL:

  • Type: Read
  • Condition: gs.hasRole('external_users') == false
  • Script (optional):
  • !gs.hasRole('external_users')

Repeat similar ACLs for:

  • sys_app
  • sys_app_module
  • sys_ui_section

Make sure these ACLs are active, and that no other ACLs are granting access implicitly (e.g., public roles or inherited roles).

 

3. Restrict Navigation Modules

In Application Navigator:

  • Open each module (e.g., Incident, Knowledge, etc.)
  • Set roles to exclude external_users
  • Or use Visibility Condition:
  • gs.hasRole('external_users') == false

 

4. Use Page Access Control Rules in Service Portal

For your /external portal:

  • Go to Service Portal > Page Access Control Rules
  • Create rules that:
    • Allow access to /external pages for external_users
    • Deny access to other portal pages unless internal roles are present

 

5. Test with External User Accounts

Use impersonation or test logins to verify:

  • Homepage access is blocked
  • Navigation modules are hidden
  • Portal loads correctly
  • No ACL exceptions or data leaks

 

Optional Enhancements

  • Create a scoped application for external users to isolate their experience
  • Use UI Policies or Client Scripts to hide UI elements dynamically
  • Add a custom landing page with tailored content and branding

 

If my response helped please mark it correct and close the thread so that it benefits future readers.

 

Best,

Anupam.

 

0 Helpfuls

lauri457
Giga Sage

4 hours ago

To restrict access to ui pages and next experience routes you need to use the acl with type ui_page or ux_route.

 

Explicit roles plugin mentioned by @Kieran3 is the way to go. I don't see why you couldn't replicate the acls and hide the header menus, apps/modules etc. but it does not seem worth it when you can install a plugin that does what you are looking for but also introduces data acls. Techsavvy users can always potentially interact with oob apis or do something unexpected like interact with tables via e.g. /$sp.do?id=lf

 

 

0 Helpfuls