Fix external user role assignments

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fix external user role assignments

    This guidance helps ServiceNow customers manage and correct role assignments for external users—such as contacts or consumers—who may have been mistakenly assigned internal roles. Assigning internal roles to external users can cause access issues, so it is advised that external users only have external roles. The Customer Service Management guided setup provides tasks to identify and fix these role assignment discrepancies efficiently.

    Show full answer Show less

    Key Features

    • Guided Setup Navigation: Access guided setup via Customer Service > Administration > Guided Setup to begin fixing external user role assignments.
    • Evaluation Tasks: Four task categories help identify groups of external users with problematic role assignments:
      • Users with the sncinternal role only or with external roles (possible non-intentional internal role assignment).
      • Users with sncinternal plus other internal roles, with or without external roles (possible intentional internal role assignment).
      • Users with sncinternal role contained in another role (intentional internal role assignments).
      • Review lists allow tagging of users with incorrect roles before running a scheduled job to fix assignments.
    • Role Fix Process: After reviewing users in each category, use the scheduled job to correct role assignments accordingly.
    • Alternative Method: Role assignments can also be reviewed and updated using a query-based list for more direct management.
    • Prevention: To avoid future incorrect assignments, enable the system property glide.security.explicitroles.enableinternaluserblacklist by setting it to true via the Configure option in guided setup.

    What to Expect

    By following these steps, ServiceNow customers can:

    • Identify external users improperly assigned internal roles that could cause access problems.
    • Correct role assignments systematically using guided setup tasks and scheduled jobs.
    • Prevent recurrence of improper internal role assignments to external users by enabling the recommended system property.
    • Maintain secure and appropriate access controls for external users, ensuring compliance with best practices and minimizing access-related issues.

    You may have external users (contacts or consumers) on your instance that have been assigned internal roles. If so, you can use the Customer Service Management guided setup to evaluate and correct these role assignments as needed.

    Because external users with internal roles can result in access issues, it is recommended that external users only be assigned external roles.

    Use the tasks in the Fix External User Role Assignment category guided setup category to evaluate the contacts and consumers with the following role assignments:
    • The snc_internal role only.
    • The snc_internal role and one or more external roles.
    • The snc_internal role and one or more additional internal roles.
    • The snc_internal role and one or more additional internal and external roles.
    Review the list of users in each group and tag those users with incorrect role assignments. Then run the scheduled job to fix the role assignments.
    Note:
    You can also review and update external user roles using a query-based list. For more information, see KB0829930.

    Using guided setup to fix external user role assignments

    With the system administrator role, you can use guided setup to fix external user role assignments.
    1. Navigate to Customer Service > Administration > Guided Setup.
    2. On the Getting Started page of the guided setup, click Get Started.
    3. In the Fix External User Role Assignment category, click Get Started.

      The Fix External User Role Assignment page opens with a list of tasks to evaluate groups of external users.

    4. To perform a task, click Configure.

      This button opens the page in your instance where the configuration is completed.

    Fix External User Role Assignment tasks

    The following table describes the different configuration tasks in the Fix External User Role Assignment category.
    Table 1. Fix External User Role Assignment tasks
    Task Description
    External users with possible non-intentional internal role assignment This is a set of contacts and consumers with the following role assignments:
    • The snc_internal role only.
    • The snc_internal role and one or more external roles.
    It is recommended that you do not assign internal roles to external users. Review the contacts in this list and fix the role assignment as needed.
    External users with possible intentional internal role assignments This is a set of contacts and consumers that have the following role assignments:
    • The snc_internal role and one or more additional internal roles.
    • The snc_internal role and one or more additional internal and external roles.
    It is recommended that you do not assign both internal and external roles to the same user. Review the users in this list and fix the role assignment as needed.
    External users with intentional internal role assignments This is a set of contacts and consumers that have the snc_internal role that is contained by another role.

    It is recommended that you do not assign internal roles to external users. Review the users in this list and fix the role assignments as needed.
    Avoid such role assignments in future To prevent external users from being assigned the snc_internal role in the future, enable the following property:

    glide.security.explicit_roles.enable_internal_user_blacklist

    Click Configure to navigate to the property and verify that the value is true. If false, set the value to true.