Deny internal access to explicit external roles [Updated in Security Center 1.3]
-
- UpdatedAug 3, 2023
- 2 minutes to read
- Vancouver
- Now Platform Security
Multiple properties together comprise the configuration for the enable explicit roles internal denylist hardening setting. The glide.security.explicit_roles.enable_internal_user_blacklist property prevents external users from being assigned the snc_internal role and enables the glide.security.explicit_roles.internal_user_blacklist property to assign the snc_external role.
Glide.security.explicit_roles.enable_internal_user_blacklist
This prevents external users from being assigned the snc_internal role. If glide.security.explicit_roles.enable_internal_user_blacklist is not set to the recommended value of true, and the glide.security.explicit_roles.internal_user_blacklist property is not set to a list of untrusted user classes, then the specified roles can be assigned the snc_internal role instead of the snc_external role. If the list is empty, then all users will be assigned the snc_internal role by default. The property should contain at least the default roles csm_consumer_user,customer_contact. Misconfiguration of these properties increases the risk that an external user account gains access to internal information.
More information
Glide.security.explicit_roles.internal_user_blacklist
The glide.security.explicit_roles.internal_user_blacklist value determines which user classes (tables which extend sys_user) should be assigned the snc_external role instead of the snc_internal role. The default value csm_consumer_user,customer_contact is defined to align with use cases in the Customer Service Management plugins.
The property value only needs to be changed if there are additional or different user classes which need to be assigned the snc_external role by default, instead of the snc_internal role. Contact Support to alter these values.
To learn more about adding or creating a system property, see Add a system property.