Why Xanadu added snc_internal role to incident table’s write ACL?

Lisa71
Tera Contributor

After upgrading to Xanadu, we see the snc_internal role is added to many ACLs like incident table’s write ACL.

Why Xanadu added snc_internal role to incident table’s write ACL? This is so insecure.

4 REPLIES 4

Robbie
Kilo Patron
Kilo Patron

Hi @Lisa71,

 

Please find the attached ServiceNow Support article  below which covers the role and any guides that any existing ACL's without a role are patched with the 'snc_internal' role. For new ACLs, the Now Platform automatically adds this role if the ACL is saved without any role.

 

Hopefully this provides some context for you.

I believe the role association is related to Explicit Role Plugin and around the 'Quebe'c release (however I'd have to confirm that). The plugin is based around securing data and ACLs

 

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.



Thanks, Robbie

 

https://noderegister.service-now.com/kb?id=kb_article_view&sysparm_article=KB0965712

Lisa71
Tera Contributor

Thanks. However we didn't install explicit role in this instance (or we installed the plugin before, however already clone down from a not installed instance). Why it still update our acl? Also, even before installing the plugin, we don't have ACL not assigned to any role per my verify. 

 

The snc_internal role opens our security broadly, how to resolve the issue? 

If it truly was the upgrade that did this and the role is added on ACL's that already had other roles, create a NowSupport ticket, because (as far as I understood), this was just supposed to be done on ACL's without any role, to limit access and make it more secure, instead of less secure. 

Checking on an instance I just upgraded to Xanadu, I have one write ACL on incident with the snc_internal role and that also includes conditions (like caller is dynamic me). So that means that it became more secure instead of less, because I now also need that role to update any incident.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

simonpullen
ServiceNow Employee
ServiceNow Employee

Can you confirm you have the plugin installed before the upgrade: Service Management Core com.snc.service_management.core

 

If so this would enable the explicit roles plugin as it's a dependent plugin as of Xanadu. This would then insert snc_internal role into your instance and roles.