User table access to External users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago
Hello community,
We have a use case and need to follow best practice and thought of checking with experts here about building something if it would be a reasonable approach considering the platform architecture.
In our User table 'sys_user', we have Internal users and Externals too. we do not have CSM license. Currently looking at the user table access through ACLs, here is the finding - viewing other user records is restricted for non itil users. Members with 'snc_internal' role can view user records of others if they have more elevated access.
Now we have to build a catalog item where end users (external users) are expected to raise the item for them or on behalf of others (both internal and external).
Is it suggested to provide access for external users to view other user records (internal and external)?? Please recommend the best practices and standard approach
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago
Hi @LalithkumaS
External users (those assigned the snc_external role) should not typically have access to full user records in the sys_user table due to privacy, security, and licensing concerns.
- Granting such access goes against established security best practices and platform hardening guidelines.
- It can also expose sensitive Personally Identifiable Information (PII), including email addresses, phone numbers, department details, and user IDs, which should not be shared across external audiences.
- Additionally, building functionality that enables external users to bypass platform controls or replicate capabilities of licensed products (such as CSM) may create contractual and compliance risks with ServiceNow.
- Providing access to core or foundational data like user records can also blur the distinction between internal and external users, potentially leading to licensing complications.
It would be advisable to review this approach with your ServiceNow Account Executive before proceeding.
