Restrict all user logins

gerardjohnson · ‎08-30-2015

Hello, I want to block all logins to our dev and uat instances except admins and select users.

I am a new SN admin with limited knowledge.

ACL appears to be object based only, and SNC Access Control is too complex requiring a plugin, HI accounts, tokens etc.

Using Access Control Rules - ServiceNow Wiki

ServiceNow Access Control - ServiceNow Wiki

At a guess I would make a group adding all roles except admins and selected users, but don't know the best way to rule this to restrict logins, override roles, find conflicts and so on.

Is there a easy way to just turn login off?

Mark Stanger · ‎08-30-2015

There are a few different approaches to this, one being to run a script after a clone that goes in and de-activates all of the accounts. I think that this approach is way too burdensome and you can also have accounts get turned back on from a data load so it's not completely foolproof.

If you want to control login, you should use Installation Exits. This allows you to control login behavior for all users in the system from a single place. I've written an article at SNGuru that shows you how to do this for local and LDAP logins. If you're using some other flavor of SSO you would just need to make similar modifications to those installation exits.

Custom Login Validation with Installation Exits - ServiceNow Guru

View solution in original post

gerardjohnson · ‎08-31-2015

Thank you yes good idea, I will be adding Marks script to prod but not active, just in case.

Mark Stanger · ‎09-01-2015

Great! You should probably change this line to an 'and' rather than an 'or', but the rest looks good.

if(!isAdmin || !isVisitor)