TPRM and the Explicit Roles plugin

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TPRM and the Explicit Roles plugin

    Activating the Third-party Risk Management (TPRM) plugin in ServiceNow also installs the Explicit Roles plugin. This plugin introduces a role-based access control system by assigningsncinternalandsncexternalroles to internal and external users, respectively. This ensures controlled access to instance resources, especially for third-party contacts who are automatically assigned thesncexternalrole for portal access.

    Show full answer Show less

    Key Features

    • Role Assignment on User Creation: Third-party contacts receive the sncexternal role automatically, while all existing and new internal users receive the sncinternal role.
    • Role-based Access on Records: Various tables use the Roles field to restrict access. An empty Roles field previously allowed universal access, but with the Explicit Roles plugin, the sncinternal role is assigned by default, limiting access to internal users only.
    • Automatic Role Updates on Key Tables: Multiple core tables such as Service Catalog items, Access Control Lists (ACLs), navigation menus, portal pages, reports, and processors have their Roles or Read roles fields updated to include sncinternal where previously empty.
    • Configurable Catalog Item Access: The glide.sc.useusercriteria property controls whether new catalog items automatically get the sncinternal role (when set to false) or use SNC External user criteria to exclude external users (when set to true).

    Practical Implications for ServiceNow Customers

    • Before installing the Explicit Roles plugin, records with empty Roles fields were accessible to all users. After installation, such records are restricted to users with the sncinternal role.
    • All existing users are granted the sncinternal role automatically during plugin activation, ensuring continuity of access.
    • New users must be explicitly assigned the sncinternal role to access records or catalog items that were previously open to all.
    • Administrators should review role assignments and access controls post-installation to ensure appropriate access, especially for external users and third-party contacts.
    • Understanding table-level changes helps in managing security and access more precisely across the instance, enhancing the security posture around third-party risk management.

    Activating the Third-party Risk Management plugin also installs the Explicit Roles plugin. Administrators assign the snc_internal and snc_external roles to provide internal and external users access to the instance.

    When third-party contacts are created, they are automatically assigned the snc_external role, giving them access to resources related to the Third-party portal.

    Various tables provide role-based access to record by setting the Roles field. If the Roles field is empty, all users have access to that record. For example, if the Roles field for a Service Catalog item has an empty Roles field, all users have access to that Service Catalog item.

    However, when the Explicit Roles plugin is installed, the Roles field is updated to snc_internal. Also, all users are given the snc_internal role. Continuing with the previous example:
    • Before installing the Explicit Roles plugin, if a Service Catalog item had an empty Roles field, it was accessible to every user.
    • After installing the Explicit roles plugin, the Roles field of the Service Catalog item is updated to snc_internal and all existing users are given the snc_internal role, making the catalog item accessible to those users.
    • After that, all new users must be assigned the snc_internal role, or they will not have access to that Service Catalog item.

    The following table describes the changes to tables affected by the Explicit Roles plugin.

    Table 1. Tables affected by the Explicit Roles plugin
    Table Changes
    Access Control

    [sys_security_acl]

    		 For all existing and newly created ACLs without a role requirement, the snc_internal role is assigned.
    Catalog item

    [sc_cat_item]

    		 For all records where the Roles field is empty, the snc_internal role is added. If the glide.sc.use_user_criteria property is set to false, newly created catalog items are automatically assigned the snc_internal role. If the property is set to true, the SNC External user criteria is added to all newly created catalog items, excluding external users from viewing the record.
    Page

    [content_page]

    		 For sites that have a login page, where the Read roles field is empty, the snc_internal role is added. For sites that have no login page or that have automatically created content pages, the public role is added.
    Navigation Menu [sys_app_application] For all records where the Roles field is empty, the snc_internal role is added. Newly created navigation menus with an empty Roles field are also automatically assigned the snc_internal role.
    Overview Help Panel [sys_ui_overview_help_panel] For all records where the Roles field is empty, the snc_internal role is added. Newly created overview panels with an empty Roles field are also assigned the snc_internal role.
    Portal Page [sys_portal_page] For all records where the Read roles field is empty, the snc_internal role is added. Newly created portal pages with an empty Read roles field are also automatically assigned the snc_internal role.
    Processor [sys_processor] For all records where the Roles field is empty, the snc_internal role is added. Newly created processors with an empty Roles field are also automatically assigned the snc_internal role.
    Report [sys_report] For all records where the Roles field is empty, snc_internal is added. Newly created reports that have an empty Roles field when sharing are also automatically assigned the snc_internal role.