Fix external user role assignments

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fix External User Role Assignments

    It is important to ensure that external users (contacts or consumers) in your ServiceNow instance do not have internal role assignments, as this can lead to access issues. The Customer Service Management guided setup provides tools to evaluate and correct these role assignments effectively.

    Show full answer Show less

    Key Features

    • Guided Setup: Access the setup via Customer Service > Administration > Guided Setup to start fixing role assignments.
    • Evaluation Tasks: Identify external users with inappropriate role assignments through various predefined tasks, including checking for:
      • Only the sncinternal role.
      • The sncinternal role combined with external roles.
      • The sncinternal role combined with additional internal roles.
      • The sncinternal role combined with both internal and external roles.
    • Scheduled Job: After tagging users with incorrect assignments, run the scheduled job to correct these roles.
    • Property Configuration: To prevent future incorrect assignments, enable the property glide.security.explicitroles.enableinternaluserblacklist and ensure its value is set to true.

    Key Outcomes

    By following the guided setup, you can effectively manage role assignments for external users, preventing potential access issues and ensuring compliance with best practices. Correcting these assignments will enhance the security and functionality of your ServiceNow instance, ensuring that external users only have the necessary permissions to perform their roles.

    You may have external users (contacts or consumers) on your instance that have been assigned internal roles. If so, you can use the Customer Service Management guided setup to evaluate and correct these role assignments as needed.

    Because external users with internal roles can result in access issues, it is recommended that external users only be assigned external roles.

    Use the tasks in the Fix External User Role Assignment category guided setup category to evaluate the contacts and consumers with the following role assignments:
    • The snc_internal role only.
    • The snc_internal role and one or more external roles.
    • The snc_internal role and one or more additional internal roles.
    • The snc_internal role and one or more additional internal and external roles.
    Review the list of users in each group and tag those users with incorrect role assignments. Then run the scheduled job to fix the role assignments.
    Note:
    You can also review and update external user roles using a query-based list. For more information, see KB0829930.

    Using guided setup to fix external user role assignments

    With the system administrator role, you can use guided setup to fix external user role assignments.
    1. Navigate to Customer Service > Administration > Guided Setup.
    2. On the Getting Started page of the guided setup, click Get Started.
    3. In the Fix External User Role Assignment category, click Get Started.

      The Fix External User Role Assignment page opens with a list of tasks to evaluate groups of external users.

    4. To perform a task, click Configure.

      This button opens the page in your instance where the configuration is completed.

    Fix External User Role Assignment tasks

    The following table describes the different configuration tasks in the Fix External User Role Assignment category.
    Table 1. Fix External User Role Assignment tasks
    Task Description
    External users with possible non-intentional internal role assignment This is a set of contacts and consumers with the following role assignments:
    • The snc_internal role only.
    • The snc_internal role and one or more external roles.
    It is recommended that you do not assign internal roles to external users. Review the contacts in this list and fix the role assignment as needed.
    External users with possible intentional internal role assignments This is a set of contacts and consumers that have the following role assignments:
    • The snc_internal role and one or more additional internal roles.
    • The snc_internal role and one or more additional internal and external roles.
    It is recommended that you do not assign both internal and external roles to the same user. Review the users in this list and fix the role assignment as needed.
    External users with intentional internal role assignments This is a set of contacts and consumers that have the snc_internal role that is contained by another role.

    It is recommended that you do not assign internal roles to external users. Review the users in this list and fix the role assignments as needed.
    Avoid such role assignments in future To prevent external users from being assigned the snc_internal role in the future, enable the following property:

    glide.security.explicit_roles.enable_internal_user_blacklist

    Click Configure to navigate to the property and verify that the value is true. If false, set the value to true.