- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2023 04:24 AM - edited 09-05-2023 04:25 AM
Hi
I need help to understand exact steps I need to overcome a security constraint. The below outlines my position and I would be so grateful for your advice and guidance.
We currently have a (public) UI page that allows unauthenticated users to create an incident record based on the details the user enters on that UI Page. This UI Page is accessed by link on a company homepage. From looking at the UI Page processing script I can see it's a simple script to insert an incident. This page was setup and configured by my predecessors so I wasn't involved in the setup. It works ok and does the job.
I have now been asked to add to that by providing the capability to allow a user to raise a request (for a specific request item), using a UI Page that has a similar look and feel to the page mentioned above.
I have built a new UI page and it works perfectly if I am authenticated but obviously struggles when I try to use it when logged out. This page is in the sys_public list so, I am able to navigate to the page when not logged in, and fill in the information (mainly just text fields, nothing special). However, when I submit there are (suspected) security constraints preventing correct operation.
Clearly I am missing something fundamental - possibly ACL related - I've tried playing around with the catalog item 'Available For' public users but still facing issues. I could really do with someone helping me with exact steps to follow to resolve this.
Thanks in advance.
Andy
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2023 03:31 PM
Found this awhile back. It helped me and I will try and outline what I did outside of these steps/instructions:
Description
When unauthenticated users try to submit a public catalog item in Service Portal, a 400 Bad Request error occurs and they are unable to submit. This issue is due to AngularProcessor authentication restrictions.
Steps
Catalog Item Configuration
- The catalog item(s) intended for unauthenticated submission must have a 'User Criteria' that allows access to the public role
- The variables must allow 'Create' permissions to the public role
Limitation
Adding attachments is not supported as a public user so as a best practice, use Portal settings to hide the attachment section fro public catalog items
- Create your record producer or catalog item and make it public
- Portal Settings (tab) – Hide Attachment, and Hide ‘Add to Wish List’ (checked)
- Script – (Record Producer) ‘producer.portal_redirect = ‘any_redirect_page’
- Available for (tab) – Create or add ‘User Criteria’ record
Note: Role should be ‘public, snc_external’
- Variables – make sure the write, read, and create roles are ‘publi’
Note: Reference and List Collector variables must allow ‘Read’ access to that table content
- Create a Portal (fill in as needed)
- url suffix
- homepage
- theme
Note: you can make the (sc_cat_item) page public and not create a custom portal or pages (I create a custom page so I could leave ‘sc_cat_item’ page as is)
2. Make any widgets associated with your page or the sc_cat_item page public as well
3. Open the item in a incognito window [/sp?id=sc_cat_item&sys_id= 0c35909cb14156bc4bcbe33938409]
Note: add your custom page name in the url if you created a custom page. Although the catalog item is public, it will not allow you to submit the item
Workaround
To allow unauthenticated users access to catalog items, the following needs to be done (on instances running New York Patch 9, Orlando Patch 4 or higher):
Widget/Page Configuration
The following Service Portal Page(s) and Widget(s) must be configured to allow access to the public role:
- Catalog Item Service Portal Page (sc_cat_item)
- SC Catalog Item Widget
- SC Order Guide Widget
- Catalog Checkout Widget (if two step checkout has been enabled)
- SC Order Status page and the Order Status widget
API Configuration
All the REST APIs used on the above mentioned widgets/pages must be configured to allow unauthenticated access by unchecking the `Requires Authentication` field in the REST API configuration. This includes the following API(s):
- Buy Item
- Submit a Record Producer
- Validate Variable Regex (In case the item consists of a variable which requires Regex Validation)
- Checkout Order Guide
- Variable display value
- Check requested for delegation on item. (Paris onwards)
If these REST APIs are configured to require authentication, they throw a `403 Unauthorized error` when accessed by a public user
Customers may need to reach out to the ServiceNow Support for making these API and Widget configurations
Catalog Item Configuration
- The catalog item(s) intended for unauthenticated submission must have a User Criteria that allows access to the public role
- The variables must allow Create permissions to the public role
Limitation
- Adding attachments is not supported as a public user so as a best practice, use Portal Settings to hide the attachment section for public catalog items.
- At present we do not support public Multirow Variable Set.
Related Problem: PRB854474
if you see the article it has mentioned to update the api method field "Requires Authentication" .
go to the scripted Rest API >> search for "Service Catalog API" >> you will see list of method (Resources tab), so make the changes to those method field "Requires Authentication"
Screenshot for an example for buy Item method.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2023 08:31 PM
Hey Andy,
Did you find a solution for this? I'm running into a similar issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2023 05:11 AM
Hi,
I'm glad it's not just me - but unfortunately not. I've moved on to another project while we work out what to do with this one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2024 07:30 AM
Were you able to fix? I am asking our devs to create a public form that allows non-employees to submit a specific ticket, but they have said it's not possible and proposed a workaround where a regular webform emails the information to SNOW, and then that information is then parsed into fields to create a request.
If you were able to get yours to work, would you consider PMing me (or reaching out via email) with the example? Feel free to just share a redacted screenshot; you don't need to share the link.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-01-2023 03:31 PM
Found this awhile back. It helped me and I will try and outline what I did outside of these steps/instructions:
Description
When unauthenticated users try to submit a public catalog item in Service Portal, a 400 Bad Request error occurs and they are unable to submit. This issue is due to AngularProcessor authentication restrictions.
Steps
Catalog Item Configuration
- The catalog item(s) intended for unauthenticated submission must have a 'User Criteria' that allows access to the public role
- The variables must allow 'Create' permissions to the public role
Limitation
Adding attachments is not supported as a public user so as a best practice, use Portal settings to hide the attachment section fro public catalog items
- Create your record producer or catalog item and make it public
- Portal Settings (tab) – Hide Attachment, and Hide ‘Add to Wish List’ (checked)
- Script – (Record Producer) ‘producer.portal_redirect = ‘any_redirect_page’
- Available for (tab) – Create or add ‘User Criteria’ record
Note: Role should be ‘public, snc_external’
- Variables – make sure the write, read, and create roles are ‘publi’
Note: Reference and List Collector variables must allow ‘Read’ access to that table content
- Create a Portal (fill in as needed)
- url suffix
- homepage
- theme
Note: you can make the (sc_cat_item) page public and not create a custom portal or pages (I create a custom page so I could leave ‘sc_cat_item’ page as is)
2. Make any widgets associated with your page or the sc_cat_item page public as well
3. Open the item in a incognito window [/sp?id=sc_cat_item&sys_id= 0c35909cb14156bc4bcbe33938409]
Note: add your custom page name in the url if you created a custom page. Although the catalog item is public, it will not allow you to submit the item
Workaround
To allow unauthenticated users access to catalog items, the following needs to be done (on instances running New York Patch 9, Orlando Patch 4 or higher):
Widget/Page Configuration
The following Service Portal Page(s) and Widget(s) must be configured to allow access to the public role:
- Catalog Item Service Portal Page (sc_cat_item)
- SC Catalog Item Widget
- SC Order Guide Widget
- Catalog Checkout Widget (if two step checkout has been enabled)
- SC Order Status page and the Order Status widget
API Configuration
All the REST APIs used on the above mentioned widgets/pages must be configured to allow unauthenticated access by unchecking the `Requires Authentication` field in the REST API configuration. This includes the following API(s):
- Buy Item
- Submit a Record Producer
- Validate Variable Regex (In case the item consists of a variable which requires Regex Validation)
- Checkout Order Guide
- Variable display value
- Check requested for delegation on item. (Paris onwards)
If these REST APIs are configured to require authentication, they throw a `403 Unauthorized error` when accessed by a public user
Customers may need to reach out to the ServiceNow Support for making these API and Widget configurations
Catalog Item Configuration
- The catalog item(s) intended for unauthenticated submission must have a User Criteria that allows access to the public role
- The variables must allow Create permissions to the public role
Limitation
- Adding attachments is not supported as a public user so as a best practice, use Portal Settings to hide the attachment section for public catalog items.
- At present we do not support public Multirow Variable Set.
Related Problem: PRB854474
if you see the article it has mentioned to update the api method field "Requires Authentication" .
go to the scripted Rest API >> search for "Service Catalog API" >> you will see list of method (Resources tab), so make the changes to those method field "Requires Authentication"
Screenshot for an example for buy Item method.