Restrict external / guest users to a single Record Producer in HRSD portal

Hi Community,

We have an 8-year-old ServiceNow instance and are currently reviewing access controls around guest / external users, as we’ve identified a potential data breach and compliance risk.

Current setup

• We have a support group (sys_user_group) used to manage Guest accounts

• These users currently have:

  • snc_internal

  • mobile_user

• We also have a custom HRSD portal

• At the moment, the portal is accessible to any user, including users who are not part of our organization

• Guest users are now able to see all widgets such as My Tickets, Popular Items, and effectively all catalog items, which should not be exposed to them

This creates a significant security and compliance issue, as external users can view internal content and functionality.

Requirement

We need to:

• Restrict external / guest users

• Allow them to access only ONE specific Record Producer (used to create a case)

• Block access to:

  • Other record producers

  • Catalog items

  • Widgets (My Tickets, Popular Items, etc.)

  • Any other portal pages or data

Challenges

• The instance is quite old and we’re not sure where or how that guest group is being used

• As an experiment, I tried removing roles from those users, and it worked

• However, management is hesitant to proceed with role removal due to potential unknown downstream impacts

What I’m looking for

I’d appreciate guidance on:

1. Best practices to restrict portal access without removing core roles

2. How to trace where a group is being used (ACLs, scripts, portal configs, widgets, etc.)

3. Recommended approaches using:

   • Portal user criteria

   • ACLs

   • Record Producer–level restrictions

   • HRSD-specific patterns for guest or external access

If anyone has handled a similar HRSD guest/external user restriction scenario, I’d really value your input on what worked and what to avoid.

Thanks in advance for your help!
Harsh