Fix external user role assignments

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fix external user role assignments

    External users in your ServiceNow instance, such as contacts or consumers, should only have external roles assigned to them. Assigning internal roles likesncinternalto external users can cause access issues. The Customer Service Management guided setup provides tools to evaluate and correct any incorrect role assignments for external users.

    Show full answer Show less

    Key Features

    • Guided Setup for Role Correction: Accessible via Customer Service > Administration > Guided Setup, this setup helps identify and fix external users with internal role assignments.
    • Task Categories: Tasks are grouped by the type of role assignment issues:
      • External users with only the sncinternal role or with both sncinternal and external roles.
      • External users with sncinternal plus additional internal roles, with or without external roles.
      • External users with sncinternal role contained within other roles.
    • User Review and Correction: The guided setup lists users per category for you to review and tag those with incorrect role assignments before running a scheduled job to fix them.
    • Alternative Method: External user roles can also be reviewed and updated using a query-based list for manual corrections.
    • Preventive Configuration: To avoid future incorrect assignments, enable the system property glide.security.explicitroles.enableinternaluserblacklist by setting it to true.

    Practical Benefits

    • Ensures external users have appropriate access, reducing security and access issues.
    • Simplifies role management for external users through guided evaluation and automated fixes.
    • Helps maintain compliance and security best practices by preventing inappropriate internal role assignments.
    • Provides clear actionable steps for administrators to monitor and maintain correct role assignments.

    You may have external users (contacts or consumers) on your instance that have been assigned internal roles. If so, you can use the Customer Service Management guided setup to evaluate and correct these role assignments as needed.

    Because external users with internal roles can result in access issues, it is recommended that external users only be assigned external roles.

    Use the tasks in the Fix External User Role Assignment category guided setup category to evaluate the contacts and consumers with the following role assignments:
    • The snc_internal role only.
    • The snc_internal role and one or more external roles.
    • The snc_internal role and one or more additional internal roles.
    • The snc_internal role and one or more additional internal and external roles.
    Review the list of users in each group and tag those users with incorrect role assignments. Then run the scheduled job to fix the role assignments.
    Note:
    You can also review and update external user roles using a query-based list. For more information, see KB0829930.

    Using guided setup to fix external user role assignments

    With the system administrator role, you can use guided setup to fix external user role assignments.
    1. Navigate to Customer Service > Administration > Guided Setup.
    2. On the Getting Started page of the guided setup, click Get Started.
    3. In the Fix External User Role Assignment category, click Get Started.

      The Fix External User Role Assignment page opens with a list of tasks to evaluate groups of external users.

    4. To perform a task, click Configure.

      This button opens the page in your instance where the configuration is completed.

    Fix External User Role Assignment tasks

    The following table describes the different configuration tasks in the Fix External User Role Assignment category.
    Table 1. Fix External User Role Assignment tasks
    Task Description
    External users with possible non-intentional internal role assignment This is a set of contacts and consumers with the following role assignments:
    • The snc_internal role only.
    • The snc_internal role and one or more external roles.
    It is recommended that you do not assign internal roles to external users. Review the contacts in this list and fix the role assignment as needed.
    External users with possible intentional internal role assignments This is a set of contacts and consumers that have the following role assignments:
    • The snc_internal role and one or more additional internal roles.
    • The snc_internal role and one or more additional internal and external roles.
    It is recommended that you do not assign both internal and external roles to the same user. Review the users in this list and fix the role assignment as needed.
    External users with intentional internal role assignments This is a set of contacts and consumers that have the snc_internal role that is contained by another role.

    It is recommended that you do not assign internal roles to external users. Review the users in this list and fix the role assignments as needed.
    Avoid such role assignments in future To prevent external users from being assigned the snc_internal role in the future, enable the following property:

    glide.security.explicit_roles.enable_internal_user_blacklist

    Click Configure to navigate to the property and verify that the value is true. If false, set the value to true.