Explicit Role plugin (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explicit Role plugin (instance security hardening)

    The Explicit Role plugin (com.glide.explicitroles) enhances instance security by introducing the sncinternal and sncexternal roles, designed to restrict external users from accessing sensitive internal data. Enterprise users must possess the internal role, while non-enterprise users should have the external role. This functionality is crucial for maintaining data integrity and security within B2B and B2C applications.

    Show full answer Show less

    Key Features

    • Automatic assignment of the sncinternal role to all existing users and tables without a specified role upon plugin activation.
    • New users and tables created after activation will automatically receive the sncinternal role.
    • External users with the sncexternal role are barred from accessing tables not explicitly assigned to them.
    • Public role tables are accessible to both internal and external users, but sensitive data must be managed carefully.
    • Widgets requiring login must be configured to allow access for external users if needed.

    Key Outcomes

    By activating the Explicit Role plugin, organizations can significantly enhance their security posture. External users will have restricted access to sensitive data, preventing unauthorized exposure. It is essential to validate that no sensitive information is available in public role tables and ensure that all API endpoints are secured using appropriate role checks. Following the outlined steps for creating features and managing user roles will further bolster instance security.

    Activate the Explicit Role (com.glide.explicit_roles) plugin to provide the instance with the new snc_internal and snc_external roles for B2B and B2C applications, preventing external users from accessing internal data. Enterprise users (employees) must have the internal role while non-enterprise users (non-employees) must have the external role.

    When you install the explicit role plugin:

    • It assigns all existing users with the new snc_internal role. It also assigns all tables without any role with the snc_internal role.
    • When you create a user or table after activating the Explicit Role plugin, the ServiceNow AI Platform assigns the user or table with the snc_internal role.
    • The ServiceNow AI Platform prevents the users with the snc_external role from accessing any table that is not explicitly assigned with the snc_external role.
    • Any table with the public role are accessible by both internal or external users.
    • Some service portal widgets require a login, but do not require any specific user roles. After installing the explicit roles plugin, these portals will become inaccessible to external users.
      • To allow access for external users, edit your widget to change the required roles from blank to snc_internal, snc_external.
      • An example of this issue is customers using the case management application who need external users to be able to attach files to their case records. Changing the configuration for the encryption-context-picker widget as described allows external users to attach as expected.
      • For more information on configuring widgets, see Configure widget instance options
    Note:
    Do not move system update sets among instances with and without the Explicit Roles plugin enabled. For more information, see System update sets.

    Role summary

    snc_internal
    This role is assigned to all internal users (employee or internal to an organization). Any new user that gets added also get this role during their first login/impersonation, provided the user doesn't have the snc_external role already assigned. All the existing Access Control Rules (ACLs) without a role are patched with the 'snc_internal' role. For new ACLs, the ServiceNow AI Platform automatically adds this role if the ACL is saved without any role.
    snc_external
    This role indicates that the user is external to your organization and should not have any access to resources unless:
    • You explicitly allow access through ACLs for the snc_external role, or
    • You explicitly grant them additional roles.
    By default, users with the snc_external role are unable to access non-record type resources as well, such as processors and UI pages.
    public
    Any entities with public role assigned to it are accessible by both snc_internal and snc_external users.
    When using Explicit Role plugin:
    1. Review and validate that any table with the public role doesn't contain any sensitive record to the external users, including unauthenticated public users.
    2. If the table with the public role contains sensitive data, and you want to restrict the sensitive records from external users, either:
      • Remove the public role from the table or
      • Add additional scripted ACL to the table.
    3. Review and validate that all endpoints, such as the Scripted REST APIs, use the GlideRecordSecure or explicitly check roles using canRead(), canWrite(), canUpdate(), and canDelete().

    More information

    Attribute Description
    Plugin Name com.glide.explicit_roles
    Configuration type System Definition > Plugin
    Configure in Instance Security Center No
    Purpose To prevent external users from accessing internal data.
    Recommended value Active
    Functional ImpactNo significant impact as the plugin automatically assigns the snc_internal role to the table so the existing internal users still have the necessary access.
    Security risk (High) External Users (Non-employees) can access to many sensitive tables in the ServiceNow AI Platform that do not have any roles assigned to it. They are meant to be accessible by internal users (Employees) only.
    References Explicit Roles

    Steps to configure

    When creating feature or application with the explicit roles:
    1. Create a role that inherits the snc_external role for your new feature or application.
    2. When creating an external user, remove the snc_internal role and add the newly created role that inherits the snc_external role.
    3. When adding the new role that inherits the snc_external role to the existing table, review and validate that the table doesn't contain any sensitive record.
    4. When creating a table, validate that the table is accessible only by authorized internal and external user roles.
    5. When creating endpoints such as the Scripted REST API, use GlideRecordSecure or explicitly check roles using canRead(), canWrite(), canUpdate(), and canDelete().

    When creating a table with the public role, make sure that the table doesn't contain any sensitive record to the external users including unauthenticated public users.