Overview:
When a new user account is created in ServiceNow, it is often necessary to allow the user to set their password securely for the first time.
Instead of manually assigning passwords or asking administrators to reset them, we can automatically send a secure password reset link via email when the user record is created.
This approach provides several benefits:
- Improves security by avoiding manual password sharing
- Enhances user experience by allowing users to set their own password
- Reduces administrative overhead
- Ensures the reset link is time-limited for security
In this solution, the reset link is valid for one hour, controlled through a system property.
Solution Architecture:
The implementation uses three main components:
- Event Registration – A custom event is registered to trigger the password reset notification.
- Notification - A configured email notification listens to the registered event and sends the password reset link to the user with the required details.
- Script Include – Generates the password reset request and sends the email
- Business Rule – Triggers the reset link when a user record is created
- System Property – Controls how long the reset token remains valid
Workflow:
- A new user record is created.
- A Business Rule triggers the password reset process.
- A Script Include creates a password reset request.
- A unique token is generated.
- A secure reset URL is created and shortened.
- An email notification containing the reset link is sent to the user.
- The user can set their new password within the configured validity period (1 hour).
Script Include: Generate and Send Password Reset Link
This Script Include handles the main logic for:
- Creating the password reset request
- Generating a secure token
- Building the reset URL
- Sending the email event
Script Include Code:
var SetPasswordViaEmail = Class.create();
SetPasswordViaEmail.prototype = {
initialize: function() {},
sendResetLinkEmail: function(user) {
if (!user)
return false;
/* Get Password Reset Process */
var process = this.getDefaultPwdResetProcess();
if (!process)
return false;
/* Create pwd_reset_request */
var reqGR = new GlideRecord('pwd_reset_request');
reqGR.initialize();
reqGR.user = user.sys_id;
reqGR.process = process.sys_id;
reqGR.status = 2; /* Setting VERIFIED as default */
reqGR.action_type = 1; /* Reset Password */
reqGR.sys_domain = user.sys_domain; /* Set request domain to User's domain */
reqGR.insert();
/* Generate Reset URL Token */
var token = SNC.PasswordResetUtil.generateUniqueUserToken(user.sys_id);
if (!token)
return false;
/* Compose Reset URL */
var redirectUrl = this._getInstanceURL() + '/esc?id=login';
var resetURL = '/passwordreset.do?sysparm_id=' +user.sys_id +
'&sysparm_request_id=' + reqGR.sys_id +
'&sysparm_nostack=true' +
'&sysparm_token=' + token +
'&sysparm_redirect_url=' + redirectUrl;
/* Shorten URL */
var shortenedURL = new GlideTinyURL().createTinyURLWithCustomLength(resetURL, 10);
var fullURL = this._getInstanceURL() + shortenedURL;
/* Send Email via Event */
var tokenValidity = GlideProperties.get("glide.pwd_reset.onetime.token.validity", "1"); // hours
gs.eventQueue('send.new_password.set.link', user, tokenValidity, resetURL);
return true;
},
getDefaultPwdResetProcess: function() {
var process = new GlideRecord('pwd_process');
process.addActiveQuery();
process.setLimit(1);
process.query();
if (process.next()) {
return process;
}
return null;
},
_getInstanceURL: function() {
var url = gs.getProperty("glide.servlet.uri");
var override = gs.getProperty("glide.email.override.url");
url = override ? override : url;
if (GlideStringUtil.nil(url)) {
gs.log("Instance URL is not configured properly.");
return "";
}
url = url.trim();
if (url.endsWith("/"))
url = url.slice(0, -1);
return url;
},
type: 'SetPasswordViaEmail'
};
Business Rule: Trigger Password Setup Email
A Business Rule runs when a user record is created and triggers the password reset email.
Business Rule Script
Table: User
When To Run: After Insert/Update
Business Rule Code:
new SetPasswordViaEmail().sendResetLinkEmail(current);
System Property for Token Expiry:
The validity of the reset link is controlled by the following system property:
'glide.pwd_reset.onetime.token.validity'
Default Value 1
Meaning:
Value | Description |
1 | Token valid for 1 hour |
2 | Token valid for 2 hours |
n | Token valid for n hours |
This allows administrators to easily adjust token expiration without modifying code.
Email Notification:
An event is triggered in the Script Include:
‘send.new_password.set.link’
A corresponding email notification should be configured to:
- Listen for this event
- Send the password reset link to the user
- Inform them that the link is valid for a limited time
Security Benefits:
This approach improves platform security by:
- Using token-based password reset links
- Ensuring time-limited access
- Avoiding manual password sharing
- Supporting domain-aware requests
- Using secure password reset processes
Final Result:
Once implemented:
- A new user record is created.
- The user automatically receives an email.
- The email contains a secure password setup link.
- The user can set their password within the configured validity period.
- After expiration, the link becomes invalid
💡 If this article helped you, please mark it as correct ✅ and close the thread 🔒. This helps others quickly find the right solution.
Thank you for your time. Please feel free to reach out if you have any questions.
— Jayanth Chennamsetti
ServiceNow Developer
