Mandatory roles

You can give both internal users and external users access to your instance. However, you might not want both types of users to have the same level of access. To provide added security, every user must have at least one role so the instance can distinguish between the users that are internal and the users that are external.

Prior to the Geneva release, ESS users had no role, but were still considered part of your organization and could access basic system resources by default, such as an ESS home page. Starting with the Geneva release, ESS users can obtain the snc_internal role and still retain the same level of access they had prior to Geneva.

External users must obtain, at minimum, the snc_external role. This role indicates that the user is external to your organization and should not have any access to resources unless you explicitly allow access through ACLs for the snc_external role, or you explicitly grant them additional roles. By default, users with the snc_external role are unable to access non-record type resources as well, such as processors and UI pages.

You should not mark the snc_internal role as elevated. Otherwise, internal users could not access the instance.
Note: You can use encryption contexts with the snc_internal and snc_external roles.

The Explicit Roles plugin

The Explicit Roles (com.glide.explicit_roles) plugin provides the snc_external and snc_internal roles. This plugin is activated automatically when you activate the Customer Service Portal.

When this plugin is activated:
  • All existing users are automatically assigned the snc_internal role. This role does not change existing access levels or system behavior. Rather, it provides a category to differentiate internal users from external users. All internal users maintain the same level of access as before the plugin was activated.
  • All existing ACLs that do not have a role requirement are automatically assigned the snc_internal role. Because both existing ACLs and roles are assigned the snc_internal role, existing access levels do not change.
  • External users must obtain, at minimum, the snc_external role to access the instance. This role is automatically assigned to external Customer Service Portal contacts. If the Customer Service Portal is not activated, this role must be manually granted to external users. Access to records is granted through ACLs.

Providing access to external users

You can grant external users access to tables be creating a set of ACLs for the table. See Provide external users access to a table .

Another approach you can take is to give all external users access to all tables, and then restrict access to specific tables. You can do this by adding the snc_internal role to the * ACL that is of Type ui_page.

The hasRoles() method

The hasRoles() method is still available, but is deprecated in the Geneva release. Use the hasRole(role name) method instead.

If you do use the hasRoles() method, note these changes:
  • This method automatically excludes the default snc_internal role when it checks for roles. This means that if a user has only the snc_internal role, the hasRoles() method still returns false.
  • If the user has the snc_external role, false is returned because the instance considers external users as without a role.