User Self-Registration Security Concerns

Go to solution
Eduardo Paredes
Giga Guru

‎03-15-2022 12:06 PM

Hello community,

We have a requirement to allow users to self-register to have access to a custom service portal but noticed that we need to make the scripted REST resource (/api/sn_sc/v1/servicecatalog/items/{sys_id}/submit_producer) public to allow unauthenticated users to submit their account registration request. 

We are concerned about the cyber security implications of doing this as there is an exploitation risk of sending malicious payloads to this endpoint.

What are your thoughts around this security concern?

 

Thank you,

Eduardo Paredes.

Labels:
0 Helpfuls
  • 772 Views
1 ACCEPTED SOLUTION

Go to solution
Allen Andreas
Administrator
Administrator

‎03-15-2022 12:12 PM

Hi,

I'm unsure if that is actually necessary. If you look at the Customer Service Management model for self-registration that would help you along with this. You mentioned a custom service portal, but you don't have the CSM application? Is that correct?

You'd have to create a self-registration process, most likely, and you'd want to allow "create" permissions for no-role users. Whatever happens after that is up to you...do they need to go to approval? Should they be given a registration code before hand to help try and limit SPAM?

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

0 Helpfuls
2 REPLIES 2

Go to solution
Allen Andreas
Administrator
Administrator

‎03-15-2022 12:12 PM

Hi,

I'm unsure if that is actually necessary. If you look at the Customer Service Management model for self-registration that would help you along with this. You mentioned a custom service portal, but you don't have the CSM application? Is that correct?

You'd have to create a self-registration process, most likely, and you'd want to allow "create" permissions for no-role users. Whatever happens after that is up to you...do they need to go to approval? Should they be given a registration code before hand to help try and limit SPAM?

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Go to solution
Eduardo Paredes
Giga Guru
In response to Allen Andreas

‎03-15-2022 12:22 PM

Hi Allen,

That is correct, we don't have the CSM application. We only have the ITSM application, but we installed the com.snc.user_registration plugin which takes care of the approval process for the accounts requests.

We noticed that the registration form cannot be submitted unless the "Requires authentication" in the scripted REST resources is unchecked.

0 Helpfuls