Why Xanadu added snc_internal role to incident table’s write ACL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2024 08:32 AM
After upgrading to Xanadu, we see the snc_internal role is added to many ACLs like incident table’s write ACL.
Why Xanadu added snc_internal role to incident table’s write ACL? This is so insecure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2024 08:41 AM - edited 09-19-2024 08:47 AM
Hi @Lisa71,
Please find the attached ServiceNow Support article below which covers the role and any guides that any existing ACL's without a role are patched with the 'snc_internal' role. For new ACLs, the Now Platform automatically adds this role if the ACL is saved without any role.
Hopefully this provides some context for you.
I believe the role association is related to Explicit Role Plugin and around the 'Quebe'c release (however I'd have to confirm that). The plugin is based around securing data and ACLs
To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.
Thanks, Robbie
https://noderegister.service-now.com/kb?id=kb_article_view&sysparm_article=KB0965712
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2024 12:10 AM
Thanks. However we didn't install explicit role in this instance (or we installed the plugin before, however already clone down from a not installed instance). Why it still update our acl? Also, even before installing the plugin, we don't have ACL not assigned to any role per my verify.
The snc_internal role opens our security broadly, how to resolve the issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2024 02:29 AM
If it truly was the upgrade that did this and the role is added on ACL's that already had other roles, create a NowSupport ticket, because (as far as I understood), this was just supposed to be done on ACL's without any role, to limit access and make it more secure, instead of less secure.
Checking on an instance I just upgraded to Xanadu, I have one write ACL on incident with the snc_internal role and that also includes conditions (like caller is dynamic me). So that means that it became more secure instead of less, because I now also need that role to update any incident.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2025 06:09 PM
Can you confirm you have the plugin installed before the upgrade: Service Management Core com.snc.service_management.core
If so this would enable the explicit roles plugin as it's a dependent plugin as of Xanadu. This would then insert snc_internal role into your instance and roles.