Explicit roles

You can give both internal users and external users access to your instance. However, you might not want both types of users to have the same level of access. To provide added security, every user must have at least one role so that the instance can distinguish between internal and external users.

External users must obtain, at minimum, the snc_external role. The snc_external role indicates that the user is external to your organization and should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles. By default, users with the snc_external role are unable to access non-record type resources as well, such as processors and UI pages.

Do not mark the snc_internal role as elevated. Otherwise, internal users cannot access the instance.

Note: You can use encryption contexts with the snc_internal and snc_external roles. However, adding encryption contexts to more detailed roles is recommended.

Explicit Roles plugin

The Explicit Roles (com.glide.explicit_roles) plugin provides the snc_external and snc_internal roles.

When this plugin is activated:
  • All existing users are automatically assigned the snc_internal role. This role does not change existing access levels or system behavior. Rather, it provides a category to differentiate internal users from external users. All internal users maintain the same level of access as before the plugin was activated.
  • Newly created users are automatically assigned the snc_internal role when they first attempt to log in to the instance, unless they have been explicitly assigned the snc_external role. You can add the snc_external role to a new user before they first log in to the instance to provide external user rights.
    Note: The snc_internal and snc_external roles can be added or removed at any time to change user rights.
  • All existing ACLs that do not have a role requirement are automatically assigned the snc_internal role. Because both existing ACLs and roles are assigned the snc_internal role, existing access levels do not change.
  • Newly created ACLs that do not have a role requirement are automatically assigned the snc_internal role. This role assignment does not apply to a newly created ACL with a role assigned.
  • External users must obtain, at minimum, the snc_external role to access the instance. This role is automatically assigned to external Customer Service Portal contacts. If the Customer Service Portal is not activated, this role must be manually granted to external users. Access to records is granted through ACLs.
Note: This plugin also requires the Contextual Security plugin.

Providing access to external users

You can grant external users access to tables be creating a set of ACLs for the table.

Another approach you can take is to give all external users access to all tables, and then restrict access to specific tables. You can do this by adding the snc_external role to the * ACL that is of Type ui_page.

The hasRoles() method

The hasRoles() method is still available, but is deprecated in the Geneva release. Use the hasRole(role name) method instead.

If you do use the hasRoles() method, note these changes:
  • This method automatically excludes the default snc_internal role when it checks for roles. This means that if a user has only the snc_internal role, the hasRoles() method still returns false.
  • If the user has the snc_external role, the method returns false because the instance considers external users to be without a role.