- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2015 06:58 PM
Hello, I want to block all logins to our dev and uat instances except admins and select users.
I am a new SN admin with limited knowledge.
ACL appears to be object based only, and SNC Access Control is too complex requiring a plugin, HI accounts, tokens etc.
Using Access Control Rules - ServiceNow Wiki
ServiceNow Access Control - ServiceNow Wiki
At a guess I would make a group adding all roles except admins and selected users, but don't know the best way to rule this to restrict logins, override roles, find conflicts and so on.
Is there a easy way to just turn login off?
Solved! Go to Solution.
- Labels:
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2015 07:38 PM
There are a few different approaches to this, one being to run a script after a clone that goes in and de-activates all of the accounts. I think that this approach is way too burdensome and you can also have accounts get turned back on from a data load so it's not completely foolproof.
If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.
Custom Login Validation with Installation Exits - ServiceNow Guru
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2015 07:38 PM
There are a few different approaches to this, one being to run a script after a clone that goes in and de-activates all of the accounts. I think that this approach is way too burdensome and you can also have accounts get turned back on from a data load so it's not completely foolproof.
If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.
Custom Login Validation with Installation Exits - ServiceNow Guru
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2015 09:03 PM
Thank you Mark that sounds great I will try this now.
How would you change the code to allow you to enter particular groups not just admin, say a Visitor role or group that has itil for test users?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2015 09:28 PM
Just change this line to check for a new, custom role if you like. Just make sure the role is granted to all groups (including admins) that need access.
if(rec1.role.getDisplayValue() == 'admin'){
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2015 12:13 AM
Hello, I created a visitor role with itil role added and a Visitor group with visitor role added.
Instead of changing all mentions of admin in your script to visitor I added extra conditions like;
if(rec1.role.getDisplayValue() == 'admin'){
isAdmin = true;
break;
}
if(rec1.role.getDisplayValue() == 'visitor'){
isVisitor = true;
and
//Allow access if the user is an admin or visitor
if((authed && isAdmin) || (authed && isVisitor) || (authed && userName.indexOf('@snc') > -1)){
return user.getUser(userName);
and
//Alert if the user is not an admin
if(!isAdmin || !isVisitor){
gs.addErrorMessage('You must be a ServiceNow admin or have visitor rights to access this system.');
Tried and tested with user, itil and admin accounts - all good Thanks very much!
