TPRM and the Explicit Roles plugin
Summarize
Summary of TPRM and the Explicit Roles plugin
Activating the Third-party Risk Management (TPRM) plugin in ServiceNow automatically installs the Explicit Roles plugin. This setup manages user access by assigningsncinternalandsncexternalroles for internal and external users respectively, ensuring controlled access to instance resources, particularly via the Third-party portal.
Show less
Key Features
- Role Assignments: Third-party contacts are automatically assigned the sncexternal role for portal access, while internal users receive the sncinternal role.
- Role-based Access Control: Various tables use the Roles field to restrict record access. An empty Roles field means universal access, but installing the Explicit Roles plugin changes this by assigning the sncinternal role to such records and users.
- Automatic Role Updates: Upon installing the Explicit Roles plugin, records (such as Service Catalog items) with empty Roles fields are updated to require the sncinternal role, and existing users are granted this role. New users must be explicitly assigned sncinternal to gain access.
- glide.sc.useusercriteria Property: For catalog items, this property controls whether new items automatically receive the sncinternal role or apply the SNC External user criteria, limiting visibility for external users.
Tables Affected and Practical Impact
The Explicit Roles plugin enforces role assignments across multiple key tables by adding sncinternal to records with empty Roles fields, thereby restricting access to authorized users only:
- Access Control [syssecurityacl]: Assigns sncinternal to ACLs lacking role requirements, securing access controls.
- Catalog item [sccatitem]: Updates items with empty Roles to sncinternal; new items follow glide.sc.useusercriteria settings.
- Page [contentpage]: Adds sncinternal role for pages with login; otherwise, assigns public role for pages without login.
- Navigation Menu [sysappapplication]: Sets sncinternal for menus with empty Roles, including new menus.
- Overview Help Panel [sysuioverviewhelppanel], Portal Page [sysportalpage], Processor [sysprocessor], Report [sysreport]: All receive sncinternal role assignment when Roles are empty, affecting both existing and new records.
Practical Outcomes for ServiceNow Customers
By implementing the Explicit Roles plugin alongside TPRM, customers enhance security by explicitly controlling access to critical resources and records within their instance. This ensures that internal users have appropriate access while external users are limited to designated portals. Administrators must manage sncinternal role assignments for new users to maintain access continuity. Additionally, understanding and configuring the glide.sc.useusercriteria property allows tailored visibility of catalog items for external users.
Activating the Third-party Risk Management plugin also installs the Explicit Roles plugin. Administrators assign the snc_internal and snc_external roles to provide internal and external users access to the instance.
When third-party contacts are created, they are automatically assigned the snc_external role, giving them access to resources related to the Third-party portal.
Various tables provide role-based access to record by setting the Roles field. If the Roles field is empty, all users have access to that record. For example, if the Roles field for a Service Catalog item has an empty Roles field, all users have access to that Service Catalog item.
- Before installing the Explicit Roles plugin, if a Service Catalog item had an empty Roles field, it was accessible to every user.
- After installing the Explicit roles plugin, the Roles field of the Service Catalog item is updated to snc_internal and all existing users are given the snc_internal role, making the catalog item accessible to those users.
- After that, all new users must be assigned the snc_internal role, or they will not have access to that Service Catalog item.
The following table describes the changes to tables affected by the Explicit Roles plugin.
| Table | Changes |
|---|---|
| Access Control [sys_security_acl] |
For all existing and newly created ACLs without a role requirement, the snc_internal role is assigned. |
| Catalog item [sc_cat_item] |
For all records where the Roles field is empty, the snc_internal role is added. If the glide.sc.use_user_criteria property is set to false, newly created catalog items are automatically assigned the snc_internal role. If the property is set to true, the SNC External user criteria is added to all newly created catalog items, excluding external users from viewing the record. |
| Page [content_page] |
For sites that have a login page, where the Read roles field is empty, the snc_internal role is added. For sites that have no login page or that have automatically created content pages, the public role is added. |
| Navigation Menu [sys_app_application] | For all records where the Roles field is empty, the snc_internal role is added. Newly created navigation menus with an empty Roles field are also automatically assigned the snc_internal role. |
| Overview Help Panel [sys_ui_overview_help_panel] | For all records where the Roles field is empty, the snc_internal role is added. Newly created overview panels with an empty Roles field are also assigned the snc_internal role. |
| Portal Page [sys_portal_page] | For all records where the Read roles field is empty, the snc_internal role is added. Newly created portal pages with an empty Read roles field are also automatically assigned the snc_internal role. |
| Processor [sys_processor] | For all records where the Roles field is empty, the snc_internal role is added. Newly created processors with an empty Roles field are also automatically assigned the snc_internal role. |
| Report [sys_report] | For all records where the Roles field is empty, snc_internal is added. Newly created reports that have an empty Roles field when sharing are also automatically assigned the snc_internal role. |