Snc_Internal - Snc External

Yakup Can Karad
Tera Contributor

‎02-02-2023 05:48 AM

Hi,

 

I need to give both snc_internal and snc_external roles to the users. But the system does not allow me to do it, how can I solve this problem? 

 

Thanks, 

Yakup 

0 Helpfuls
  • 5,800 Views
8 REPLIES 8

SatyakiBose
Mega Sage

‎02-02-2023 06:36 AM

Hello @Yakup Can Karad 

Good day.

What you are asking for here is not a recommended practice by ServiceNow.

The 2 roles are created intentionally to differentiate between levels of access on the instance.

Please go through the documentation here - Explicit Roles 

The Now Platform prevents users from having both the snc_external role and the snc_internal role. The Now Platform applies this mutual exclusion everywhere in the system and writes error messages to the logs for each conflict.

Note: ACLs can have both roles if the ACL resources should be accessible to all users.
 
But but but.
There is a workaround, and its highly highly recommended NOT TO USE IT.
Disable the system property - glide.security.use_explicit_roles 
Disabling this would have impact on ACL and Business Rules evaluation, and would inadvertently impact on the access on the instance for the users. You can read more about this here:
  1. How to disable the snc_internal role to be assigned to users automatically 
  2. Removing the snc_external and snc_internal roles roles from system added by the CSM Plugin 

There are some community articles also which speak of the same thing:

 

Hope I was able to answer your question.

Community Alums
Not applicable

‎02-02-2023 07:26 AM

Hi @Yakup Can Karad ,

The Explicit Roles (com.glide.explicit_roles) plugin provides the snc_external and snc_internal roles.

When this plugin is activated:
  • All existing users are automatically assigned the snc_internal role. This role does not change existing access levels or system behavior. Rather, it provides a category to differentiate internal users from external users. All internal users maintain the same level of access as before the plugin was activated. 

  • Newly created users are automatically assigned the snc_internal role when they first attempt to log in to the instance, unless they have been explicitly assigned the snc_external role. You can add the snc_external role to a new user before they first log in to the instance to provide external user rights.

 

Yakup Can Karad
Tera Contributor

‎02-02-2023 11:43 PM

Thanks for your answers, but they don't work. Even if I change Glide.security.use_explicit_roles to false, the business rules give me an below error. I need to some internal users reach out to out of box portals that needs to snc_external roles. That is why I need to give a user both snc_external and snc_interrol roles. But I think there is business rule that restrict it. Do you know the name of it if it is business rule? If it smt else, could you help me find it? 

 

Thanks, 

Yakup 

.  

YakupCanKarad_0-1675409953460.png

 

0 Helpfuls

SatyakiBose
Mega Sage

‎02-03-2023 01:53 AM

Hi @Yakup Can Karad 

I remember that there is a BR which controls the provision of snc_internal & snc_external users.

However, on my PDI I did not find it anymore. Even if was visible, am sure it has a read-only protection policy for customer.

Also, when I disable to system property, I am able to add the snc_internal/external to the same user without any error.

Can you please check the plugins that are installed, which provisions the explicity roles plugin along with it.

Do you have the CSM plugin installed? If yes, please go through this documentation - Explicit Roles in CSM