Restrict all user logins

gerardjohnson · ‎08-30-2015

Hello, I want to block all logins to our dev and uat instances except admins and select users.

I am a new SN admin with limited knowledge.

ACL appears to be object based only, and SNC Access Control is too complex requiring a plugin, HI accounts, tokens etc.

Using Access Control Rules - ServiceNow Wiki

ServiceNow Access Control - ServiceNow Wiki

At a guess I would make a group adding all roles except admins and selected users, but don't know the best way to rule this to restrict logins, override roles, find conflicts and so on.

Is there a easy way to just turn login off?

Mark Stanger · ‎08-30-2015

There are a few different approaches to this, one being to run a script after a clone that goes in and de-activates all of the accounts. I think that this approach is way too burdensome and you can also have accounts get turned back on from a data load so it's not completely foolproof.

If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.

Custom Login Validation with Installation Exits - ServiceNow Guru

View solution in original post

Mark Stanger · ‎08-30-2015

There are a few different approaches to this, one being to run a script after a clone that goes in and de-activates all of the accounts. I think that this approach is way too burdensome and you can also have accounts get turned back on from a data load so it's not completely foolproof.

If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.

Custom Login Validation with Installation Exits - ServiceNow Guru

gerardjohnson · ‎08-31-2015

Thank you Mark that sounds great I will try this now.

How would you change the code to allow you to enter particular groups not just admin, say a Visitor role or group that has itil for test users?

Mark Stanger · ‎08-31-2015

Just change this line to check for a new, custom role if you like. Just make sure the role is granted to all groups (including admins) that need access.

if(rec1.role.getDisplayValue() == 'admin'){

gerardjohnson · ‎09-01-2015

Hello, I created a visitor role with itil role added and a Visitor group with visitor role added.

Instead of changing all mentions of admin in your script to visitor I added extra conditions like;

                 if(rec1.role.getDisplayValue() == 'admin'){
                             isAdmin = true;
                             break;
                       }
                 if(rec1.role.getDisplayValue() == 'visitor'){
                             isVisitor = true;

and

           //Allow access if the user is an admin or visitor
           if((authed && isAdmin) || (authed && isVisitor) || (authed && userName.indexOf('@snc') > -1)){
                 return user.getUser(userName);

and

           //Alert if the user is not an admin
           if(!isAdmin || !isVisitor){
                 gs.addErrorMessage('You must be a ServiceNow admin or have visitor rights to access this system.');

Tried and tested with user, itil and admin accounts - all good Thanks very much!