Instance Scan Check: "Role definition for Service portal pages" useful?

Can Althaus · ‎11-02-2022

There is a security check in ServiceNow that suggests that there should be no Portal pages with no roles set.

When I look at the findings there are a lot of ServiceNow Baseline pages that do not uphold this supposed security best practice. So I wonder if this is really a useful check, or why it has been introduced into the instance scan.

The solution would be to set a default role in all findings, including baseline pages, which does not sound like a good idea. And I wonder if it really makes sense to do it for custom pages only. Is there really much of a risk?

In terms of good / best practices - how should an admin approach this scan result? Should it be ignored?

zynsn · ‎04-06-2024

Hi @Can Althaus ,

I have came across too. What did you decide to do? Do you apply like an internal role to these widgets that were flagged in the instance scan?

Can Althaus · ‎04-07-2024

Hello @zynsn

thank you for reaching out to me.

We decided to ignore this finding.

There are no further information on this anywhere.
It does not seem to be particularly risky. So we treat it now as a reminder to evaluate if you should add a role or not.
For the baseline pages that violate the rule we do not want to incur a potential tech dept for future upgrades, so we leave them as they are. If ServiceNow sees this as important, they have to add roles to the pages on their end and push it to the instance via update.