Set up third-party contacts

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Set up your third-party contacts so that you can send assessments, address issues, and communicate any additional required information with these contacts using Third-party Risk Management.

    Before you begin

    Role required: sn_vdr_risk_asmt.vendor_risk_manager and admin for steps 4 and 5

    About this task

    Third-party contacts are external users at the third-party organization. They use the Third-party portal to securely organize, prioritize, and perform tasks like responding to questionnaires for assessments, performing tasks, and communicating with your risk-assessment staff regarding issues. You grant access to the Third-party portal and specify the permissions for third-party contacts. The third-party risk (TPR) manager must contact a team member with the admin role to complete steps 4 and 5.
    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to your ServiceNow AI Platform instance and grants access only to the Third-party portal.

    Procedure

    1. Navigate to All > Third-party Risk Management > Third Parties > Third-party Contacts to determine whether a third-party contact has already been assigned.

      The number of contacts is listed for each third party on the third-party contacts page.

    2. On the third-party contacts page, select a third party to view the list of associated contacts.
      • To manage existing contacts:
        • Select each contact to verify that the contact is associated with the appropriate third party, is active, and, if applicable, is specified as the primary contact.
          Note:
          The questionnaires, document requests, and issues that are currently assigned to the contact are listed in the associated tab.
        • If you don't have the admin role, ask a user who does to verify that the vendor_contact role appears for the user on the Roles related list. If the user with the admin role can't see the Roles related list, they have to go to step 4. If the user with the admin role can't see the vendor_contact role listed for the user, they have to go to step 5.
        Note:
        For more information on managing third-party contacts, see Manage the access for your third-party contacts.
      • To add a contact, select New and continue with the following steps.
      Note:
      It’s normal for a contact to have the snc_external role because the vendor_contact role includes it.
    3. On the form, fill in the fields.
      Table 1. Third-party contact form
      Field Description
      First name, Last name, Email, Title, Department Standard contact information for the user at the third-party organization.
      User ID ID used to log in to the Third-party portal instance.
      Third-party Third-party organization of the contact.
      Language, Time Zone Preferred language and time zone for the user at the third-party organization.
      Active Option to activate the contact to be eligible to work in the Third-party portal.
      Primary contact

      Third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. They can also manage other contacts for the third party.
      Note:
      An email notification is sent out to the new third-party contact after the form is submitted. The email contains a link to the third-party portal and login credentials.
    4. Optional: Validate that each contact has the vendor_contact role by adding the Roles value to the Vendor Contact page.
      1. Add the Roles related list by selecting the actions icon and selecting Configure > Related Lists.
        Adding a related list to the form.
      2. Move the Roles related list to the Selected list and then select Save.

        Adding the Roles heading to the related list.

    5. Optional: Grant third-party contacts access to the third-party portal by selecting Edit and adding vendor_contact to the Roles list.

      Assigning the vendor_contact role to a third-party contact.

      Warning:
      If the user has other roles, such as snc_internal, then the user might also be able to log in to your platform and have visibility into critical records.