Read-only role for customers

Go to solution
ccouzi
Giga Contributor

‎08-10-2017 02:50 PM

Hi fellow MSP's,  

Has anyone come across a scenario where you want to provide a customer contact with read only access to view all open incident logged by all other contacts in their organization? I was wondering if there's a way to do this without using up a fulfiller license.  

0 Helpfuls
  • 2,450 Views
1 ACCEPTED SOLUTION

Go to solution
dmaze531
Kilo Expert

‎08-10-2017 03:02 PM

I have. It's a pretty common requests. Here is my advice. Others can speak as well:



  1. 1. First and Foremost: Contact your account rep to make sure you are not violating any agreements. You do not want to put something into production and then find out you are in violation.
  2. 2. See Number 1 above.
  3. 3. Here is a link to a ServiceNow WIki article in useful scripts.:
    1. http://wiki.servicenow.com/index.php?title=Useful_Task_Scripts#gsc.tab=0



Walking a fine line here, so please check with the powers-that-be before you make any changes.



Helpful?



-Dan


View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
Larry Vandiford
Tera Contributor

‎03-02-2018 10:26 AM

Hello,

Is your instance domain separated?  We have each customer set up with their own domain, and all users gain access to only the cases opened within the same domain that their company record is assigned to, not limited to the cases where they are the Contact Name or Requestor.  

We went with domain separation from day one, and have been very happy with the flexibility it offers.  

I'm not sure what the steps are for activating that plugin post implementation.  It seems like it would be a significant change though, likely requiring some collaboration with your account rep/sales engineer before attempting.  As an MSP, the functionality and flexibility of domain separation has been critical to our success.  

-Larry

 

 

0 Helpfuls

Go to solution
BobbyNow
ServiceNow Employee
ServiceNow Employee

‎03-08-2018 02:15 PM

Try the Read Only Role. https://docs.servicenow.com/bundle/geneva-servicenow-platform/page/administer/user_administration/concept/c_ReadOnlyRole.html

Configure a group with all roles that will give your user(s) the read rights they require and then add the snc_read_only to the bunch. This role will nullify the modifications rights leaving the read ones in place.

Note: any user account given the snc_read_only role will become 100% read only, even admin users.

Go to solution
richelle_pivec
Mega Guru

‎03-09-2018 05:47 AM

So, I did this a little differently. After getting permission from our SN Representative that it was okay to have read-only users, I added ACLs to all of the fields on our Incident Form. For us, we didn't want all of our (non-licensed) team members to be able to see all of the fields, nor did we want all of our (non-licensed) team members to be able to see all of the incidents. Our SN rep assured us that the read_only role was allowed to give to team members, so this allowed us to add those team members we wanted to be able to see the incidents into a group called Read Only with the role of read_only.

I then proceeded to use that role for the ACLs on the Incident form. I added the Write ACL for the ITIL role for every field I wanted our fullfillers to be able to update, and I added the Read role for ITIL for all of the fields as well.

Because there were some fields I wanted our "read-only" users to see and some fields I wanted all users to be able to see, I also added the "read-only" role to a Read ACL for those I wanted them to be able to specifically see. (For those I wanted everyone to read, I did not add any Read ACLs.)

If you wanted all of your team members to be able to have Read Only access, you would just need to add the Write role for ITIL as adding no Read ACL should give everyone access to read the field. If you have a front-end way for your team members to access the incidents (like a CMS portal or Service Portal) they should be able to read any incident they have access to. (I did that with a List embedded into a CMS page with a hyperlink to the list in a content block on the team members home page. The link took them to just the Incidents they had submitted.)

This limits their access to other areas of your build without you having to lock down every item on the Navigational Menu. The same rules apply there. If you have no Read ACL, everyone can read it...so, you'd have to add a Read ACL for ITIL or Admin to keep the read_only team members from being able to see things they don't need to see.

I hope that helps,

Richelle

Go to solution
KANDI1
Kilo Explorer

‎02-20-2019 01:02 AM

if you add snc_read_only role to admin user also , he has read only access . please take care add this any admin user or group

0 Helpfuls