You can give both internal users and external users access to your instance. However,
you might not want both types of users to have the same level of access. To provide added
security, every user must have at least one role so the instance can distinguish between the users
that are internal and the users that are external.
Prior to the Geneva release, ESS users had no role, but were still considered part of your
organization and could access basic system resources by default, such as an ESS home page.
Starting with the Geneva release, ESS users can obtain the snc_internal role and still
retain the same level of access they had prior to Geneva.
External users must obtain, at minimum, the snc_external role. This role indicates that
the user is external to your organization and should not have any access to resources unless you
explicitly allow access through ACLs for the snc_external role, or you explicitly grant
them additional roles. By default, users with the snc_external role are unable to access
non-record type resources as well, such as processors and UI pages.
You should not mark the snc_internal
role as elevated. Otherwise, internal users could
not access the instance.
Note: You can use encryption contexts with the snc_internal and
The Explicit Roles plugin
The Explicit Roles (
com.glide.explicit_roles) plugin provides the
snc_external and snc_internal roles. This plugin is activated automatically
when you activate the Customer Service Portal.
When this plugin is activated:
- All existing users are automatically assigned the snc_internal role. This role
does not change existing access levels or system behavior. Rather, it provides a
category to differentiate internal users from external users. All internal users
maintain the same level of access as before the plugin was activated.
- All existing ACLs that do not have a role requirement are automatically assigned the
snc_internal role. Because both existing ACLs and roles are assigned the
snc_internal role, existing access levels do not change.
- External users must obtain, at minimum, the snc_external role to access the
instance. This role is automatically assigned to external Customer Service Portal
contacts. If the Customer Service Portal is not activated, this role must be manually
granted to external users. Access to records is granted through ACLs.
Providing access to external users
You can grant external users access to tables be creating a set of ACLs for the table. See
Provide external users access to a
Another approach you can take is to give all external users access to all tables, and then
restrict access to specific tables. You can do this by adding the snc_internal role
to the * ACL that is of Type ui_page.
The hasRoles() method
hasRoles() method is still available, but is deprecated in the Geneva
release. Use the
hasRole(role name) method instead.
If you do use the
method, note these changes:
- This method automatically excludes the default snc_internal role when it checks for
roles. This means that if a user has only the snc_internal role, the
hasRoles() method still returns false.
- If the user has the snc_external role, false is returned because the
instance considers external users as without a role.