Restrict login by roles

Go to solution
kimberlylp
Giga Guru

‎07-12-2017 07:49 AM

Our instance is using SSO LDAP. There are imports that pull the entire company's directory into sys_user. If the user does not have a specific role assigned to them, PA_user they cannot log in to ServiceNow.  

Will someone help me find where that configuration is set?

I assumed it would be in the login script, but no luck there.

Labels:
0 Helpfuls
  • 2,418 Views
1 ACCEPTED SOLUTION

Go to solution
kimberlylp
Giga Guru

‎07-17-2017 05:44 AM

I ended up creating a HI ticket for support. Prasanna, from SN, found the custom script GroupBasedUserAuthenticationGate that check on a custom property instance.access.group which contained the group name being authenticated.



I have the customization documented now.



Thanks for you helpful suggestions.


View solution in original post

0 Helpfuls
12 REPLIES 12

Go to solution
Dave Smith1
ServiceNow Employee
ServiceNow Employee
In response to kimberlylp

‎07-12-2017 10:12 AM

I take it there's no documentation detailing how it was configured in this way?


0 Helpfuls

Go to solution
kimberlylp
Giga Guru
In response to Dave Smith1

‎07-12-2017 11:55 AM

There is no documentation


0 Helpfuls

Go to solution
Dave Smith1
ServiceNow Employee
ServiceNow Employee
In response to kimberlylp

‎07-12-2017 12:14 PM 

Kimberly Phillips wrote:


There is no documentation

Pity, as this would have narrowed down your search and arrived at the answer much more quickly.   No chance of finding out whom applied the change?



Either way.. Is an account outside of PA_user marked "inactive" or "locked out" at all?



What happens if you manually create a new account in the platform (not a member of PA_user) and attempt to login as them? Are you denied access?


0 Helpfuls

Go to solution
kimberlylp
Giga Guru
In response to Dave Smith1

‎07-12-2017 12:19 PM

All active AD users are marked as active and they are not locked out. The transform map locks out and deactivates users who are not active in AD.



Even SN only users have to be in the PA_user group to log in.


0 Helpfuls

Go to solution
Michael Ritchie
ServiceNow Employee
ServiceNow Employee
In response to kimberlylp

‎07-12-2017 10:31 AM

I'd look at your user transform maps and transform scripts to see if there is anything there that changes the users that don't have this role.



With ldap authentication, ServiceNow passes the userid and password to LDAP for authorization since the passwords aren't stored in ServiceNow and LDAP will then respond whether the user is authorized to login.   Something could be setup within AD/LDAP too that prevents this.


0 Helpfuls