External roles in self-registration
To prevent inadvertently providing access to external users, you can assign the snc_external role to all external users.
External users that self-register must be assigned the snc_external role, which has the least privileges. The snc_external role indicates that the user is external to your organization and should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles that inherit the snc_external role.
By default, users with the snc_external role cannot access:
- Scripted REST API resources that are not marked external.
- Tables without the role that inherits the snc_external role or the public role.
- Non-record type resources, such as processors and UI pages without the snc_external role or a role that inherits the snc_external role.
- Platform Analytics dashboards.
Beginning with the Paris release, you must enable an exclude-list property to enforce the explicit assignment of snc_external roles. For information about enabling the property, see Prevent future internal role assignments for external users.