Public UI Page - to allow unauthenticated user to raise a request

Andy Newman
Tera Contributor

Hi

 

I need help to understand exact steps I need to overcome a security constraint. The below outlines my position and I would be so grateful for your advice and guidance.

 

We currently have a (public) UI page that allows unauthenticated users to create an incident record based on the details the user enters on that UI Page. This UI Page is accessed by link on a company homepage. From looking at the UI Page processing script I can see it's a simple script to insert an incident. This page was setup and configured by my predecessors so I wasn't involved in the setup. It works ok and does the job.

 

I have now been asked to add to that by providing the capability to allow a user to raise a request (for a specific request item), using a UI Page that has a similar look and feel to the page mentioned above.

 

I have built a new UI page and it works perfectly if I am authenticated but obviously struggles when I try to use it when logged out. This page is in the sys_public list so, I am able to navigate to the page when not logged in, and fill in the information (mainly just text fields, nothing special).  However, when I submit there are (suspected) security constraints preventing correct operation. 

 

Clearly I am missing something fundamental - possibly ACL related - I've tried playing around with the catalog item 'Available For' public users but still facing issues. I could really do with someone helping me with exact steps to follow to resolve this.

 

Thanks in advance.

Andy

1 ACCEPTED SOLUTION

Magnum1
Tera Expert

Found this awhile back. It helped me and I will try and outline what I did outside of these steps/instructions:

Description

When unauthenticated users try to submit a public catalog item in Service Portal, a 400 Bad Request error occurs and they are unable to submit. This issue is due to AngularProcessor authentication restrictions.

 

Steps

Catalog Item Configuration

  • The catalog item(s) intended for unauthenticated submission must have a 'User Criteria' that allows access to the public role
  • The variables must allow 'Create' permissions to the public role

Limitation

Adding attachments is not supported as a public user so as a best practice, use Portal settings to hide the attachment section fro public catalog items

  1. Create your record producer or catalog item and make it public
    •  Portal Settings (tab) – Hide Attachment, and Hide ‘Add to Wish List’ (checked)
    • Script – (Record Producer) ‘producer.portal_redirect = ‘any_redirect_page’
    • Available for (tab) – Create or add ‘User Criteria’ record
 
Magnum1_1-1698877579296.png

Note: Role should be ‘public, snc_external’

    • Variables – make sure the write, read, and create roles are ‘publi’Magnum1_2-1698877636961.png

 

 

Note: Reference and List Collector variables must allow ‘Read’ access to that table content

  1. Create a Portal (fill in as needed)
    • url suffix
    • homepage
    • theme

      Note: you can make the (sc_cat_item) page public and not create a custom portal or pages (I create a custom page so I could leave ‘sc_cat_item’ page as is)

2. Make any widgets associated with your page or the sc_cat_item page public as well

3. Open the item in a incognito window [/sp?id=sc_cat_item&sys_id= 0c35909cb14156bc4bcbe33938409]

  1. Note: add your custom page name in the url if you created a custom page. Although the catalog item is public, it will not allow you to submit the item

Workaround

To allow unauthenticated users access to catalog items, the following needs to be done (on instances running New York Patch 9, Orlando Patch 4 or higher):

 

Widget/Page Configuration

 

The following Service Portal Page(s) and Widget(s) must be configured to allow access to the public role:

 

  • Catalog Item Service Portal Page (sc_cat_item)
  • SC Catalog Item Widget
  • SC Order Guide Widget 
  • Catalog Checkout Widget (if two step checkout has been enabled)
  • SC Order Status page and the Order Status widget

API Configuration

 

All the REST APIs used on the above mentioned widgets/pages must be configured to allow unauthenticated access by unchecking the `Requires Authentication` field in the REST API configuration. This includes the following API(s):

 

  • Buy Item
  • Submit a Record Producer
  • Validate Variable Regex (In case the item consists of a variable which requires Regex Validation) 
  • Checkout Order Guide
  • Variable display value
  • Check requested for delegation on item. (Paris onwards)

    If these REST APIs are configured to require authentication, they throw a `403 Unauthorized error` when accessed by a public user

    Customers may need to reach out to the ServiceNow Support for making these API and Widget configurations

Catalog Item Configuration

 

  • The catalog item(s) intended for unauthenticated submission must have a User Criteria that allows access to the public role
  • The variables must allow Create permissions to the public role

Limitation

 

  • Adding attachments is not supported as a public user so as a best practice, use Portal Settings to hide the attachment section for public catalog items.
  • At present we do not support public Multirow Variable Set.


Related Problem: PRB854474

 

 

if you see the article it has mentioned to update the api method field "Requires Authentication" .

 

go to the scripted Rest API >> search for "Service Catalog API" >> you will see list of method (Resources tab), so make the changes to those method field "Requires Authentication"  

Screenshot for an example for buy Item method. 

Magnum1_3-1698877863680.png

 

 

View solution in original post

9 REPLIES 9

Thank you, Magnum1 for identifying the related PRB record and for providing the solution to that along with helpful screenshots and additional info.

 

 

To be clear, I made sure the catalog item had public allowed user criteria and I added 'public' roles to the create/read/write on the catalog item variables - as per your screenshot.

 

You have helped me to solve this problem - thank you.

 

Hi @Magnum1 ,

 

I had added the public role access table and table.*, but reference field still don't have records, do you have any ideal? Thanks.

PeterXiang_0-1752030833587.png

 

PeterXiang_1-1752030895596.png

 

PeterXiang_2-1752030926011.png

 

Andy Newman
Tera Contributor

Thank you, Magnum1 for identifying the related PRB record and for providing the solution to that along with helpful screenshots and additional info.

 

You have helped me to solve this problem - thank you.

RobertHayton
Tera Expert

in your explanation you said you have a Ui page that is public that already creates Incidents. I am working on this now and i have hit a wall. can you please share your code so I can see what I am doing wrong?

Hi Robert

 

My UI page simply uses html for the 'variables' and the user populates those. 

 

e.g. 

1. Name of affected user 

2. Email address of user

3. Contact phone number

4. Application they are reporting an issue for

5. What type of issue (reset password/request access/technical issue

6. Full description

 

When they click on submit (html button) the UI page processing script glides the incident table and inserts a record (In a similar way you would on a record producer script), using the values from the html fields and assigns it to our customer care team for triage. 

 

Does this help point you in the right direction?