To prevent inadvertently providing access to external users, you can assign the snc_external role to all external users.

External users that self-register must be assigned the snc_external role, which has the least privileges. The snc_external role indicates that the user is external to your organization and should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles that inherit the snc_external role.

Beginning with the Paris release, you must enable an exclude-list property to enforce the explicit assignment of snc_external roles. For information about enabling the property, see Prevent future internal role assignments for external users.