You can give both internal users and external users access to your instance. However, you might not want both types of users to have the same level of access. To provide added security, every user must have at least one role so that the instance can distinguish between internal and external users.

As of the Paris release, no user can have both of the explicit roles (snc_internal and snc_external). Groups and role containment cannot include both roles, either, since that would cause any group member or user who is assigned to such a group or such a role to automatically have both roles. The Now Platform aborts any operation that would create such a scenario.

External users must obtain, at minimum, the snc_external role. The snc_external role indicates that the user is external to your organization. They should not have any access to resources unless explicitly allowed through ACLs for the snc_external role or additional roles that inherit the snc_external role. By default, users with the snc_external role cannot access:
  • Scripted REST API resources that are not marked external.
  • Tables without the role that inherits the snc_external role or the public role.
  • Non-record type resources, such as processors and UI pages without granting access to the snc_external role or a role that inherits the snc_external role.
  • Platform Analytics dashboards.

Do not mark the snc_internal role as elevated. Otherwise, internal users cannot access the instance.

Explicit Roles plugin

When the Explicit Roles plugin is activated:

  • All users must have the snc_internal role to access internal resources or the snc_external role to access external resources. Users without either explicit role can access only public resources.
  • All existing users are automatically assigned the snc_internal role. This role does not change existing access levels or system behavior. Instead, it provides a category to differentiate internal users from external users. All internal users maintain the same level of access as before the plugin was activated.
    Tip: To prevent changing existing functionality for users, activating the Explicit Roles plugin assigns the snc_internal user role to all existing users in the instance. This includes any external users added before the Explicit Roles plugin was activated. After the Explicit Roles plugin is activated, do the following for all external users added before the Explicit Roles plugin was activated:
    • Remove the snc_internal role.
    • Add the snc_external role.
    Doing the preceding ensures that external users added before activating the Explicit Roles plugin do not have access to internal resources that should be available only to internal users.
  • Newly created users are automatically assigned the snc_internal role when they first attempt to log in to the instance, unless they have been explicitly assigned the snc_external role. You can add the snc_external role to a new user before they first log in to the instance to provide external user rights.
    Important:

    Activate this plugin during a maintenance window or when few users are logged in. Users currently logged in when the plugin is activated will not be dynamically assigned the snc_internal role. Rather, users must log out and log back in to be assigned the snc_internal role. Once the plugin is activated, you can add or remove the snc_internal and snc_external roles at any time to change user rights.

    After the plugin is activated, any time a user logs in, the user is given the snc_internal role if the account does not already have that role, or the snc_external role. This includes users logged in via impersonation.

  • All existing ACLs that do not have a role requirement are automatically assigned the snc_internal role. Because both existing ACLs and users are assigned the snc_internal role, existing access levels do not change.
  • Newly created ACLs that do not have a role requirement are automatically assigned the snc_internal role. This role assignment does not apply to a newly created ACL with a role assigned.
  • For all existing Processor [sys_processor] records or newly created Processor [sys_processor] records with Type=script, the snc_internal role is automatically added to the Roles field if the field is empty.
  • To restrict access to UI pages to internal users, the plugin automatically assigns the snc_internal role to the * ACL with a Type of ui_page.
  • To restrict access to processors to internal users, the plugin automatically assigns the snc_internal role to the * ACL with a Type of processor.
  • External users must obtain, at minimum, the snc_external role to access the instance. This role must be manually granted to external users. Access to records is granted through ACLs.

Do not move system update sets among instances with and without the Explicit Roles plugin enabled. For more information, see System update sets.

Note: This plugin also requires the Contextual Security Manager plugin.

glide.security.explicit_roles.do_not_fix behavior

As of the Xanadu release the glide.security.explicit_roles.do_not_fix has been adjusted with changes to snc_internal. The snc_internal role is now the same both in memory and in sys_user_has_role. The new behavior for glide.security.explicit_roles.do_not_fix is:
Table 1. glide.security.explicit_roles.do_not_fix new behavior
Value Result
False Add snc_internal role both in memory and sys_user_has_role
True Do not add snc_internal role in memory or sys_user_has_role
To exclude snc_internal role for certain users, use the glide.security.explicit_roles.ignore.snc_internal.exclude_role_list property.
Tip: To revert to previous glide.security.explicit_roles.do_not_fix behavior use the glide.security.explicit_roles.do_not_fix_in_memory property.

Providing table access to external users

You can provide external users access to a table by adding a role to the table that inherits the snc_external role. For more information, see Provide external users access to a table.

The hasRoles() method

The hasRoles() method is still available, but is deprecated in the Geneva release. Use the hasRole(role name) method instead.

If you do use the hasRoles() method, note these changes:
  • This method automatically excludes the default snc_internal role when it checks for roles. This means that if a user has only the snc_internal role, the hasRoles() method still returns false.
  • If the user has the snc_external role, the method returns false because the instance considers external users to be without a role.

Mutual exclusion: snc_external versus snc_internal

The Now Platform prevents users from having both the snc_external role and the snc_internal role. The Now Platform applies this mutual exclusion everywhere in the system and writes error messages to the logs for each conflict.
Note: ACLs can have both roles if the ACL resources should be accessible to all users.
Example: Adding both explicit roles to a user (direct collision):
  1. Assign user Abel Tuter the snc_internal role.
  2. Assign user Abel Tuter the snc_external role.

Result: Adding the snc_external role fails because Abel Tuter has the snc_internal role.

Example: Adding both explicit roles to a group (direct collision):

  1. Consider a group called Test Group that currently has no explicit roles assigned to the group.
  2. Add Abel Tuter to the Test Group.
  3. Add the snc_external role to Test Group.

Result: Adding the snc_external role fails because Abel Tuter already has the snc_internal role and can't have both roles.

Example: Adding an explicit role to a group where a group member has the conflicting explicit role (indirect collision):
  1. Assign user Abel Tuter the snc_internal role.
  2. Consider a group called Test Group that currently has no explicit roles assigned to the group.
  3. Add Abel Tuter to the Test Group.
  4. Add the snc_external role to the Test Group.

Result: Adding the snc_external role to the group fails because Abel Tuter would inherit the snc_external role through group membership. Both explicit roles would be assigned to the same user, which isn't allowed.

For other examples, see the following table:

Role Attempted action Result
Direct collision
The user has the snc_internal role. Add the snc_external role. The action is aborted.
The user has the snc_external role. Add the snc_internal role. The action is aborted.
The user has no explicit role. Add the snc_internal or snc_external role. The role is added.
The user has both explicit roles (existing collision). Add the user to a group with no roles. The action is aborted.
A role not associated with any users contains the snc_internal role. Add the snc_external role. The action is aborted.
A role not associated with any users contains the snc_external role. Add the snc_internal role. The action is aborted.
A role contains both explicit roles (existing collision). Add the role to a user, role, or group. The action is aborted.
A group with no members has the snc_internal role. Add the snc_external role. The action is aborted.
A group with no members has the snc_external role. Add the snc_internal role. The action is aborted.
A group with no members has no roles. Add the snc_internal or snc_external role. The role is added.
Indirect collision
Role containment with collision
  1. Grant a role called Test Role to a user with the snc_internal role.
  2. Add the snc_external role Test Role.
 The action is aborted.
Role containment without collision
  1. Grant a role called Test Role to a user with no roles.
  2. Add the snc_external role to Test Role.
 The role is added to both the user and Test Role.
Group containment with collision
  1. Add a user who has the snc_internal role to a group called Test Group 2 (child of Test Group 1).
  2. Add the snc_external role to Test Group 2.
  3. Add the snc_external role to a parent group called Test Group 1 (parent of Test Group 2).
 The action is aborted.
Group containment without collision
  1. Add a user with no roles to a group called Test Group 2 (child of Test Group 1).
  2. Add the snc_external or snc_internal role to Test Group 1 (parent of Test Group 2).
 The role is added to the parent group, the child group, and the user.
Group containment plus role containment with collision Add contains_external to Test Group 1, the parent of Test Group 2. Test Group 1 and Test Group 2 both get contains_external, but don't explicitly get the snc_external role.
Add the snc_internal role to Test Group 2, the child of Test Group 1. The action is aborted.
Group parent change plus group containment
  1. Remove Test Group 1 as the parent of Test Group 2.
  2. Add the snc_internal role to Test Group 1.
  3. Add the snc_external role to Test Group 2.
  4. In Test Group 2, set Test Group 1 as the parent group and save.
 The action is aborted.

Repeat for already nested groups, with the same expectation.

The cause of an aborted action appears in the error message and must be addressed before another attempt succeeds.

For direct cases, such as adding an explicit role to an individual user, verify which explicit role the user should have. If the user has the wrong explicit role, it must first be removed, and then the correct explicit role must be added.

For indirect cases,such as adding an explicit role to a group (so that a group member would be assigned both explicit roles), evaluate whether that user should be in the group. Also determine whether the group should be given the explicit role, including any inheritance through group hierarchy and role containment.

Note that the Now Platform reports only the first potential collision encountered. If repeated attempts continue to fail after remediation, with a new root cause each time, re-evaluate the relevant user/group/role interdependence more broadly. You may want to rethink how groups and role containments are structured.

Request Explicit Roles

Activate Explicit Roles by requesting the Explicit Roles plugin (com.glide.explicit_roles) through the Now Support Service Catalog.

Before you begin

Role required: admin

Important: Activate this plugin during a maintenance window or when few users are logged in. Users currently logged in when the plugin is activated will not be dynamically assigned the snc_internal role. Rather, users must log out and log back in to be assigned the snc_internal role. Once the plugin is activated, you can add or remove the snc_internal and snc_external roles at any time to change user rights.

Procedure

  1. Navigate to All > System Applications > All Available Applications > All.
  2. On the All Applications page, select Request Plugin to open the Activate Plugin form on Now Support.
    Admin view of Activate Plugin form to capture details for activating the CSM Workspace plugin on a selected instance. For the text description, refer to the Activate Plugin form table.
  3. On Now Support, select the link to access the Now Support Service Portal Service Catalog.
    Message informing customers about new service portal with a link provided.
  4. Select your instance.
  5. Select Actions > Activate Plugin.
  6. On the Activate Plugin form, provide the following information.
    Table 2. Activate Plugin form
    Field Description

    What is your target instance

    Instance on which to activate the plugin.

    Which plugin would you like to activate

    Name of the plugin to activate.

    Note: If the system does not list the plugin you want or if you are activating the plugin on an OEM or on-premise instance, select the Plugin I'm looking for is not listed check box and then enter the name of the plugin.

    Select Maintenance Date and Time

    The date and time to activate the plugin.

    Note: Plugins are activated in two batches, once in the morning and once in the evening, on every business day in the US Pacific time zone. If the plugin must be activated at a specific time, enter the request in the Reason/Comments field.

    For example, see the following form to activate the CSM Workspace plugin on an instance named My Instance.

    Figure 1. Activate Plugin form
    Admin view of the form to capture details of the CSM Workspace plugin on a selected instance. For the text description, refer to the Activate Plugin form table.
  7. Select Submit.
    For additional details about requesting a plugin, see Requesting a Plugin from the Service Catalog [KB0751715] article in the Now Support Knowledge Base.