Public UI Page - to allow unauthenticated user to raise a request

Andy Newman · ‎09-05-2023

Hi

I need help to understand exact steps I need to overcome a security constraint. The below outlines my position and I would be so grateful for your advice and guidance.

We currently have a (public) UI page that allows unauthenticated users to create an incident record based on the details the user enters on that UI Page. This UI Page is accessed by link on a company homepage. From looking at the UI Page processing script I can see it's a simple script to insert an incident. This page was setup and configured by my predecessors so I wasn't involved in the setup. It works ok and does the job.

I have now been asked to add to that by providing the capability to allow a user to raise a request (for a specific request item), using a UI Page that has a similar look and feel to the page mentioned above.

I have built a new UI page and it works perfectly if I am authenticated but obviously struggles when I try to use it when logged out. This page is in the sys_public list so, I am able to navigate to the page when not logged in, and fill in the information (mainly just text fields, nothing special). However, when I submit there are (suspected) security constraints preventing correct operation.

Clearly I am missing something fundamental - possibly ACL related - I've tried playing around with the catalog item 'Available For' public users but still facing issues. I could really do with someone helping me with exact steps to follow to resolve this.

Thanks in advance.

Andy

Magnum1 · ‎11-01-2023

Found this awhile back. It helped me and I will try and outline what I did outside of these steps/instructions:

Description

When unauthenticated users try to submit a public catalog item in Service Portal, a 400 Bad Request error occurs and they are unable to submit. This issue is due to AngularProcessor authentication restrictions.

Steps

Catalog Item Configuration

The catalog item(s) intended for unauthenticated submission must have a 'User Criteria' that allows access to the public role
The variables must allow 'Create' permissions to the public role

Limitation

Adding attachments is not supported as a public user so as a best practice, use Portal settings to hide the attachment section fro public catalog items

Create your record producer or catalog item and make it public

Portal Settings (tab) – Hide Attachment, and Hide ‘Add to Wish List’ (checked)
Script – (Record Producer) ‘producer.portal_redirect = ‘any_redirect_page’
Available for (tab) – Create or add ‘User Criteria’ record

Note: Role should be ‘public, snc_external’

Variables – make sure the write, read, and create roles are ‘publi’

Note: Reference and List Collector variables must allow ‘Read’ access to that table content

Create a Portal (fill in as needed)
- url suffix
- homepage
- theme
  Note: you can make the (sc_cat_item) page public and not create a custom portal or pages (I create a custom page so I could leave ‘sc_cat_item’ page as is)

2. Make any widgets associated with your page or the sc_cat_item page public as well

3. Open the item in a incognito window [/sp?id=sc_cat_item&sys_id= 0c35909cb14156bc4bcbe33938409]

Note: add your custom page name in the url if you created a custom page. Although the catalog item is public, it will not allow you to submit the item

Workaround

To allow unauthenticated users access to catalog items, the following needs to be done (on instances running New York Patch 9, Orlando Patch 4 or higher):

Widget/Page Configuration

The following Service Portal Page(s) and Widget(s) must be configured to allow access to the public role:

Catalog Item Service Portal Page (sc_cat_item)
SC Catalog Item Widget
SC Order Guide Widget
Catalog Checkout Widget (if two step checkout has been enabled)
SC Order Status page and the Order Status widget

API Configuration

All the REST APIs used on the above mentioned widgets/pages must be configured to allow unauthenticated access by unchecking the `Requires Authentication` field in the REST API configuration. This includes the following API(s):

Buy Item
Submit a Record Producer
Validate Variable Regex (In case the item consists of a variable which requires Regex Validation)
Checkout Order Guide
Variable display value
Check requested for delegation on item. (Paris onwards)

If these REST APIs are configured to require authentication, they throw a `403 Unauthorized error` when accessed by a public user

Customers may need to reach out to the ServiceNow Support for making these API and Widget configurations

Catalog Item Configuration

The catalog item(s) intended for unauthenticated submission must have a User Criteria that allows access to the public role
The variables must allow Create permissions to the public role

Limitation

Adding attachments is not supported as a public user so as a best practice, use Portal Settings to hide the attachment section for public catalog items.
At present we do not support public Multirow Variable Set.

Related Problem: PRB854474

if you see the article it has mentioned to update the api method field "Requires Authentication" .

go to the scripted Rest API >> search for "Service Catalog API" >> you will see list of method (Resources tab), so make the changes to those method field "Requires Authentication"

Screenshot for an example for buy Item method.

View solution in original post

testewa · ‎10-03-2023

Hey Andy,
Did you find a solution for this? I'm running into a similar issue.

Andy Newman · ‎10-04-2023

Hi,

I'm glad it's not just me - but unfortunately not. I've moved on to another project while we work out what to do with this one.

kbukg · ‎08-13-2024

Were you able to fix? I am asking our devs to create a public form that allows non-employees to submit a specific ticket, but they have said it's not possible and proposed a workaround where a regular webform emails the information to SNOW, and then that information is then parsed into fields to create a request.

If you were able to get yours to work, would you consider PMing me (or reaching out via email) with the example? Feel free to just share a redacted screenshot; you don't need to share the link.

Magnum1 · ‎11-01-2023

Found this awhile back. It helped me and I will try and outline what I did outside of these steps/instructions:

Description

When unauthenticated users try to submit a public catalog item in Service Portal, a 400 Bad Request error occurs and they are unable to submit. This issue is due to AngularProcessor authentication restrictions.

Steps

Catalog Item Configuration

The catalog item(s) intended for unauthenticated submission must have a 'User Criteria' that allows access to the public role
The variables must allow 'Create' permissions to the public role

Limitation

Adding attachments is not supported as a public user so as a best practice, use Portal settings to hide the attachment section fro public catalog items

Create your record producer or catalog item and make it public

Portal Settings (tab) – Hide Attachment, and Hide ‘Add to Wish List’ (checked)
Script – (Record Producer) ‘producer.portal_redirect = ‘any_redirect_page’
Available for (tab) – Create or add ‘User Criteria’ record

Note: Role should be ‘public, snc_external’

Variables – make sure the write, read, and create roles are ‘publi’

Note: Reference and List Collector variables must allow ‘Read’ access to that table content

Create a Portal (fill in as needed)
- url suffix
- homepage
- theme
  Note: you can make the (sc_cat_item) page public and not create a custom portal or pages (I create a custom page so I could leave ‘sc_cat_item’ page as is)

2. Make any widgets associated with your page or the sc_cat_item page public as well

3. Open the item in a incognito window [/sp?id=sc_cat_item&sys_id= 0c35909cb14156bc4bcbe33938409]

Note: add your custom page name in the url if you created a custom page. Although the catalog item is public, it will not allow you to submit the item

Workaround

To allow unauthenticated users access to catalog items, the following needs to be done (on instances running New York Patch 9, Orlando Patch 4 or higher):

Widget/Page Configuration

The following Service Portal Page(s) and Widget(s) must be configured to allow access to the public role:

Catalog Item Service Portal Page (sc_cat_item)
SC Catalog Item Widget
SC Order Guide Widget
Catalog Checkout Widget (if two step checkout has been enabled)
SC Order Status page and the Order Status widget

API Configuration

All the REST APIs used on the above mentioned widgets/pages must be configured to allow unauthenticated access by unchecking the `Requires Authentication` field in the REST API configuration. This includes the following API(s):

Buy Item
Submit a Record Producer
Validate Variable Regex (In case the item consists of a variable which requires Regex Validation)
Checkout Order Guide
Variable display value
Check requested for delegation on item. (Paris onwards)

If these REST APIs are configured to require authentication, they throw a `403 Unauthorized error` when accessed by a public user

Customers may need to reach out to the ServiceNow Support for making these API and Widget configurations

Catalog Item Configuration

The catalog item(s) intended for unauthenticated submission must have a User Criteria that allows access to the public role
The variables must allow Create permissions to the public role

Limitation

Adding attachments is not supported as a public user so as a best practice, use Portal Settings to hide the attachment section for public catalog items.
At present we do not support public Multirow Variable Set.

Related Problem: PRB854474

if you see the article it has mentioned to update the api method field "Requires Authentication" .

go to the scripted Rest API >> search for "Service Catalog API" >> you will see list of method (Resources tab), so make the changes to those method field "Requires Authentication"

Screenshot for an example for buy Item method.