Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Customer Service Management
Table of Contents
Choose your release version
    Home Orlando Customer Service Management Customer Service Management Customer Service Management Components installed with Customer Service Management Roles installed with Customer Service Management Explicit Roles in CSM

    Explicit Roles in CSM

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Explicit Roles in CSM

    You can give both internal users and external users access to your instance. However, you might not want both types of users to have the same level of access. To provide added security, every user must have at least one role so that the instance can distinguish between internal and external users.

    External users must obtain, at minimum, the snc_external role. The snc_external role indicates that the user is external to your organization and should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles that inherit the snc_external role. By default, users with the snc_external role cannot access:
    • Scripted REST API resources that are not marked external.
    • Tables without the role that inherits the snc_external role or the public role.
    • Non-record type resources, such as processors and UI pages without the snc_external role or a role that inherits the snc_external role.
    • Analytics, Intelligence, and Reporting dashboards.

    Do not mark the snc_internal role as elevated. Otherwise, internal users cannot access the instance.

    Note: You can Set up encryption contexts with the snc_internal and snc_external roles. However, adding encryption contexts to more detailed roles is recommended.

    Recommended CSM roles for internal and external users

    Customers (external users) using the Customer Service Management application should be assigned either the sn_customerservice.customer or the sn_customerservice.consumer role. Customer service agents (internal users) should be assigned either the sn_customerservice_agent or sn_customerservice_consumer_agent role. Make sure that the same user is not assigned both a customer (external) and agent (internal) role.
    Note: Assigning both external and internal roles to external users can create security issues as well as performance issues.

    Explicit Roles plugin

    The Customer Service plugin (com.sn_customerservice) activates the Explicit Roles plugin (com.glide.explicit_roles), which adds the snc_external and snc_internal roles. When the plugin is activated:

    • All users must have either the snc_internal role to access internal resources or the snc_external role to access external resources.
    • All existing users are automatically assigned the snc_internal role. This role does not change existing access levels or system behavior. Instead, it provides a category to differentiate internal users from external users. All internal users maintain the same level of access as before the plugin was activated.
      Tip: To prevent changing existing functionality for users, activating the Explicit Roles plugin assigns the snc_internal user role to all existing users in the instance, including any external users added before the Explicit Roles plugin was activated. After the Explicit Roles plugin is activated, do the following for all external users added before the Explicit Roles plugin was activated:
      • Remove the snc_internal role.
      • Add the snc_external role.
      This ensures that external users added before activating the Explicit Roles plugin do not have access to internal resource that should be available only to internal users.
    • Newly created users are automatically assigned the snc_internal role when they first attempt to log in to the instance, unless they have been explicitly assigned the snc_external role. You can add the snc_external role to a new user before they first log in to the instance to provide external user rights.
      Note: The snc_internal and snc_external roles can be added or removed at any time to change user rights.
    • All existing ACLs that do not have a role requirement are automatically assigned the snc_internal role. Because both existing ACLs and roles are assigned the snc_internal role, existing access levels do not change.
    • Newly created ACLs that do not have a role requirement are automatically assigned the snc_internal role. This role assignment does not apply to a newly created ACL with a role assigned.
    • For all existing Processor [sys_processor] records or newly created Processor [sys_processor] records with Type=script, the snc_internal role is automatically added to the Roles field if the field is empty.
    • To restrict access to UI pages to internal users, the plugin automatically assigns the snc_internal role to the * ACL with a Type of ui_page.
    • To restrict access to processors to internal users, the plugin automatically assigns the snc_internal role to the * ACL with a Type of processor.
    • External users must obtain, at minimum, the snc_external role to access the instance. This role is automatically assigned to external Customer Service Portal contacts. If the Customer Service Portal is not activated, this role must be manually granted to external users. Access to records is granted through ACLs.
      Note: You can use the isPublic() function in scripts for Customer Service Portal to change the privacy setting for a single client-callable script include. For more detail, see Script includes.
    • Content Management System site access is also affected. CMS is set up with Sites (content_site), Pages (content_page), and other resources. Some of the sites may have the Login page configured.
      • If CMS sites do not have the Login page configured, the public role is automatically added to the Read Roles field on Pages (content_page) if the field is empty.
      • If CMS sites have the Login page configured, the snc_internal role is automatically added to the Read Roles field on Pages (content_page) if the field is empty.
    • Service Portal site access is also affected.
      • The snc_internal role is not automatically added to sp_page, sp_widget or sp_instance records. If desired, you can give new records the role by assigning snc_internal as a default value in the Roles field for these records. For details on this process see Specify a default field value.

    Do not move System update sets among instances with and without the Explicit Roles plugin enabled.

    Note: This plugin also requires the Contextual Security Manager plugin.

    The glide.security.explicit_roles.internal_user_blacklist property

    The Explicit Roles plugin assumes that all existing users in the sys_user table at the time the plugin is installed are internal customers. A fix script assigns the snc_internal role to all existing users and to any ACL that does not have a role.

    The fix script may fail or may not finish in time for a user who has not been updated with the role and who attempts to access a resource. To bridge this potential gap, the Contextual Security Manager (CSM) auto-assigns the snc_internal role to any user who logs in and does not have an explicit role (either internal or external).

    Additionally, CSM has a business rule process that assigns the snc_external role to a classification of their users. However, when importing large sets of CSM external customers, workflow is set to false, so business rules don't run. As those users attempt to access a resource, they do not have any explicit roles. The Contextual Security Manager assigns the snc_internal role through a scheduled job called On-Call Gaps Conflicts Report that runs every 7 days. When the Explicit Roles plugin is active, this job assigns the snc_internal role to the CSM external user, since the user does not have either the snc_internal or snc_external role.

    To prevent inadvertently providing the snc_internal role to external users, the Explicit Roles plugin includes a glide.security.explicit_roles.internal_user_blacklist property to blacklist user types from ever becoming snc_internal. If there are no users types in the glide.security.explicit_roles.internal_user_blacklist table, the Contextual Security Manager assigns all users the snc_internal role by default. If there are classnames in the blacklist table, and if the sys_user class type is in the blacklist table, CSM assigns the snc_external role. Otherwise, CSM assigns the default snc_internal role as usual.

    For Orlando Patch 5 and later releases, this property is disabled by default.

    Providing table access to external users

    You can Provide external users access to a table by adding a role to the table that inherits the snc_external role.

    The hasRoles() method

    The hasRoles() method is still available, but is deprecated in the Geneva release. Use the hasRole(role name) method instead.

    If you do use the hasRoles() method, note these changes:
    • This method automatically excludes the default snc_internal role when it checks for roles. This means that if a user has only the snc_internal role, the hasRoles() method still returns false.
    • If the user has the snc_external role, the method returns false because the instance considers external users to be without a role.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Explicit Roles in CSM

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Explicit Roles in CSM

      You can give both internal users and external users access to your instance. However, you might not want both types of users to have the same level of access. To provide added security, every user must have at least one role so that the instance can distinguish between internal and external users.

      External users must obtain, at minimum, the snc_external role. The snc_external role indicates that the user is external to your organization and should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles that inherit the snc_external role. By default, users with the snc_external role cannot access:
      • Scripted REST API resources that are not marked external.
      • Tables without the role that inherits the snc_external role or the public role.
      • Non-record type resources, such as processors and UI pages without the snc_external role or a role that inherits the snc_external role.
      • Analytics, Intelligence, and Reporting dashboards.

      Do not mark the snc_internal role as elevated. Otherwise, internal users cannot access the instance.

      Note: You can Set up encryption contexts with the snc_internal and snc_external roles. However, adding encryption contexts to more detailed roles is recommended.

      Recommended CSM roles for internal and external users

      Customers (external users) using the Customer Service Management application should be assigned either the sn_customerservice.customer or the sn_customerservice.consumer role. Customer service agents (internal users) should be assigned either the sn_customerservice_agent or sn_customerservice_consumer_agent role. Make sure that the same user is not assigned both a customer (external) and agent (internal) role.
      Note: Assigning both external and internal roles to external users can create security issues as well as performance issues.

      Explicit Roles plugin

      The Customer Service plugin (com.sn_customerservice) activates the Explicit Roles plugin (com.glide.explicit_roles), which adds the snc_external and snc_internal roles. When the plugin is activated:

      • All users must have either the snc_internal role to access internal resources or the snc_external role to access external resources.
      • All existing users are automatically assigned the snc_internal role. This role does not change existing access levels or system behavior. Instead, it provides a category to differentiate internal users from external users. All internal users maintain the same level of access as before the plugin was activated.
        Tip: To prevent changing existing functionality for users, activating the Explicit Roles plugin assigns the snc_internal user role to all existing users in the instance, including any external users added before the Explicit Roles plugin was activated. After the Explicit Roles plugin is activated, do the following for all external users added before the Explicit Roles plugin was activated:
        • Remove the snc_internal role.
        • Add the snc_external role.
        This ensures that external users added before activating the Explicit Roles plugin do not have access to internal resource that should be available only to internal users.
      • Newly created users are automatically assigned the snc_internal role when they first attempt to log in to the instance, unless they have been explicitly assigned the snc_external role. You can add the snc_external role to a new user before they first log in to the instance to provide external user rights.
        Note: The snc_internal and snc_external roles can be added or removed at any time to change user rights.
      • All existing ACLs that do not have a role requirement are automatically assigned the snc_internal role. Because both existing ACLs and roles are assigned the snc_internal role, existing access levels do not change.
      • Newly created ACLs that do not have a role requirement are automatically assigned the snc_internal role. This role assignment does not apply to a newly created ACL with a role assigned.
      • For all existing Processor [sys_processor] records or newly created Processor [sys_processor] records with Type=script, the snc_internal role is automatically added to the Roles field if the field is empty.
      • To restrict access to UI pages to internal users, the plugin automatically assigns the snc_internal role to the * ACL with a Type of ui_page.
      • To restrict access to processors to internal users, the plugin automatically assigns the snc_internal role to the * ACL with a Type of processor.
      • External users must obtain, at minimum, the snc_external role to access the instance. This role is automatically assigned to external Customer Service Portal contacts. If the Customer Service Portal is not activated, this role must be manually granted to external users. Access to records is granted through ACLs.
        Note: You can use the isPublic() function in scripts for Customer Service Portal to change the privacy setting for a single client-callable script include. For more detail, see Script includes.
      • Content Management System site access is also affected. CMS is set up with Sites (content_site), Pages (content_page), and other resources. Some of the sites may have the Login page configured.
        • If CMS sites do not have the Login page configured, the public role is automatically added to the Read Roles field on Pages (content_page) if the field is empty.
        • If CMS sites have the Login page configured, the snc_internal role is automatically added to the Read Roles field on Pages (content_page) if the field is empty.
      • Service Portal site access is also affected.
        • The snc_internal role is not automatically added to sp_page, sp_widget or sp_instance records. If desired, you can give new records the role by assigning snc_internal as a default value in the Roles field for these records. For details on this process see Specify a default field value.

      Do not move System update sets among instances with and without the Explicit Roles plugin enabled.

      Note: This plugin also requires the Contextual Security Manager plugin.

      The glide.security.explicit_roles.internal_user_blacklist property

      The Explicit Roles plugin assumes that all existing users in the sys_user table at the time the plugin is installed are internal customers. A fix script assigns the snc_internal role to all existing users and to any ACL that does not have a role.

      The fix script may fail or may not finish in time for a user who has not been updated with the role and who attempts to access a resource. To bridge this potential gap, the Contextual Security Manager (CSM) auto-assigns the snc_internal role to any user who logs in and does not have an explicit role (either internal or external).

      Additionally, CSM has a business rule process that assigns the snc_external role to a classification of their users. However, when importing large sets of CSM external customers, workflow is set to false, so business rules don't run. As those users attempt to access a resource, they do not have any explicit roles. The Contextual Security Manager assigns the snc_internal role through a scheduled job called On-Call Gaps Conflicts Report that runs every 7 days. When the Explicit Roles plugin is active, this job assigns the snc_internal role to the CSM external user, since the user does not have either the snc_internal or snc_external role.

      To prevent inadvertently providing the snc_internal role to external users, the Explicit Roles plugin includes a glide.security.explicit_roles.internal_user_blacklist property to blacklist user types from ever becoming snc_internal. If there are no users types in the glide.security.explicit_roles.internal_user_blacklist table, the Contextual Security Manager assigns all users the snc_internal role by default. If there are classnames in the blacklist table, and if the sys_user class type is in the blacklist table, CSM assigns the snc_external role. Otherwise, CSM assigns the default snc_internal role as usual.

      For Orlando Patch 5 and later releases, this property is disabled by default.

      Providing table access to external users

      You can Provide external users access to a table by adding a role to the table that inherits the snc_external role.

      The hasRoles() method

      The hasRoles() method is still available, but is deprecated in the Geneva release. Use the hasRole(role name) method instead.

      If you do use the hasRoles() method, note these changes:
      • This method automatically excludes the default snc_internal role when it checks for roles. This means that if a user has only the snc_internal role, the hasRoles() method still returns false.
      • If the user has the snc_external role, the method returns false because the instance considers external users to be without a role.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login