Restrict all user logins

gerardjohnson · ‎08-30-2015

Hello, I want to block all logins to our dev and uat instances except admins and select users.

I am a new SN admin with limited knowledge.

ACL appears to be object based only, and SNC Access Control is too complex requiring a plugin, HI accounts, tokens etc.

Using Access Control Rules - ServiceNow Wiki

ServiceNow Access Control - ServiceNow Wiki

At a guess I would make a group adding all roles except admins and selected users, but don't know the best way to rule this to restrict logins, override roles, find conflicts and so on.

Is there a easy way to just turn login off?

Mark Stanger · ‎08-30-2015

There are a few different approaches to this, one being to run a script after a clone that goes in and de-activates all of the accounts. I think that this approach is way too burdensome and you can also have accounts get turned back on from a data load so it's not completely foolproof.

If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.

Custom Login Validation with Installation Exits - ServiceNow Guru

View solution in original post

emmahunt · ‎04-06-2018

Hi there,

I know this was 3 years ago, but I am trying to implement a similar thing but instead of admin rights in order to access lower environments, I need to limit access to the mobile application by group membership. Are you aware of any solutions to this or script I can implement to have this type of behavior?

Thanks!

Community Alums · ‎12-11-2024

Hello Marcos.

How could I make these configurations but for users that are not created through LDPA

Pradeep Sharma · ‎08-30-2015

Hi Gerard,

There is a field called "Locked out" on sys_user table which you can use to block the logins.

You can filter the required records by going to the sys_user filter and then copy the query and then go to the background script and make the filed "Locked out" checked to that records.

P.S : Try it on dev and be extra careful with the query. Make sure you don't make admin/other accounts locked out

Please let me know if you have any questions.

gerardjohnson · ‎08-31-2015

Thank you Pradeep this is what I thought of doing first, lock everybody but admins.

I'm going with Marks answer as this also allows an admin to lock everybody out in emergencies without changing the users themselves.

Kalaiarasan Pus · ‎08-30-2015

Just to add to what Pradeep Sharma is saying, you can add this to your post clone activity to have this taken care automatically everytime clone is done

System Clone - ServiceNow Wiki