Vendor Contacts login with Account Recovery enabled

Lane3
Tera Contributor

Is it possible to allow vendor contacts (third-party contacts) to login using local authentication in an instance with Account Recovery enabled? 

 

When enabled, Account Recovery prevents local logins except for configured Account Recovery users. This is preventing newly created vendor contacts from successfully logging into the svdp portal. Disabling Account Recovery resolves the login issue, but this solution is not ideal because the Account Recovery tool is recommended by ServiceNow to provide enhanced security. 

 

Thanks for any insights you can provide!

1 ACCEPTED SOLUTION

Randheer Singh
ServiceNow Employee
ServiceNow Employee

yes, it is absolutely possible. You can modify the policy associated with the account recovery context. You can add a new condition in the policy to allow vendor users.

You can create a role filter criteria with the vendor contact role and use it in the account recovery context allow policy.

 

ACR Policy Modified.jpg

ACR modified conditions.jpg

 

  

ACR condition details.jpg

 

 

Here is the documentation 
https://docs.servicenow.com/bundle/utah-platform-security/page/integrate/single-sign-on/concept/acco...

 

Thanks,

Randheer

View solution in original post

3 REPLIES 3

Maik Skoddow
Tera Patron
Tera Patron

Hi @Lane3 

as you can read on https://docs.servicenow.com/bundle/vancouver-platform-security/page/integrate/single-sign-on/concept... the account recovery feature is only intended for

  1. scenarios with enabled SSO
  2. user with admin roles & resposibilities

To my mind, it's highly critical and a security breach if you assign a vendor the acr_admin role! 

From a customer instance with enabled SSO I can tell you, that we don't have enabled account recovery. 

Maik

Randheer Singh
ServiceNow Employee
ServiceNow Employee

yes, it is absolutely possible. You can modify the policy associated with the account recovery context. You can add a new condition in the policy to allow vendor users.

You can create a role filter criteria with the vendor contact role and use it in the account recovery context allow policy.

 

ACR Policy Modified.jpg

ACR modified conditions.jpg

 

  

ACR condition details.jpg

 

 

Here is the documentation 
https://docs.servicenow.com/bundle/utah-platform-security/page/integrate/single-sign-on/concept/acco...

 

Thanks,

Randheer

Lane3
Tera Contributor

Thank you @Randheer Singh!