- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2017 07:49 AM
Our instance is using SSO LDAP. There are imports that pull the entire company's directory into sys_user. If the user does not have a specific role assigned to them, PA_user they cannot log in to ServiceNow.
Will someone help me find where that configuration is set?
I assumed it would be in the login script, but no luck there.
Solved! Go to Solution.
- Labels:
-
Instance Configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2017 05:44 AM
I ended up creating a HI ticket for support. Prasanna, from SN, found the custom script GroupBasedUserAuthenticationGate that check on a custom property instance.access.group which contained the group name being authenticated.
I have the customization documented now.
Thanks for you helpful suggestions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2017 07:56 AM
Hi Kimberly,
If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.
Custom Login Validation with Installation Exits - ServiceNow Guru
Thanks,
Rohith.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2017 09:57 AM
Hi Rohith,
I checked all the scripts in Installation Exits and the PA_user group is not listed in any of them. It appears that all these scripts have not been customized and are out of the box.
Is there any other place that could control the login?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2017 09:11 AM
If you want a simple, yet primitive solution...
How about a job (or business rule) that deactivates users who do not have the role?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2017 09:41 AM
Thank you for your response.
I'm not trying to change or control the user. I've inherited this instance and this control is already in place. If the user is in the PA_user group they are able to login. If they are not in that group, they get the invalid username/password message.
We have about 3 or 4 thousand employees in AD, but only 4 or 5 hundred of them are in the PA_user group. We import all users in AD
I'm trying to find where that configuration is set that allows that group/role in and denies all others.
