Notifications

282 views

Symptoms

There are several user records that look to have been created by the "guest" account.

Release

This occurs in all releases.

Cause

User records are being automatically created from emails when property "glide.email.create_userid_from_email" is set to true or "glide.pop3readerjob.create_caller" is set to true. If the system does not recognize the incoming email, or they are not from an approved domain, the inbound actions are processed under the guest account.

Additionally, if an instance has SAML enabled or LDAP imports, there is a mechanism by which user accounts can be auto-provisioned, which is also completed through the guest account. If these properties are set to true, users will be auto-provisioned in the system, "glide.ldap.user.autoprovision" and "glide.authenticate.multisso.user.autoprovision".

Resolution

If the property "glide.pop3readerjob.create_caller" is set to true, user accounts are automatically created from emails. Admins can specify the approved domains user accounts should be created from with property "glide.user.trusted_domain". There is a note about these two properties in our product documentation:

"NOTE: The glide.user.trusted_domain property only prevents user creation if the sender is not from a trusted domain. The system processes the inbound actions of the email as a guest user. If you want the system to ignore these email messages, use the email filters plugin, specifically the "ignore sender" setting. You can also prevent untrusted users from triggering inbound actions by locking out the guest user. "

When the property "glide.pop3readerjob.create_caller" is set to false, the instance runs inbound actions from users who do not match an existing user by impersonating the guest user.

The "glide.email.create_userid_from_email" property was introduced into the system with the Email Automatic User Creation plugin. The property is described as follows: 

"When set to true, causes new users to be created with a UserID that matches their email address instead of firstname.lastname. This helps create unique UserIDs when two users with the same name send emails to an instance. Also changes the behavior of gs.createUser() to match the entire email address of the user (including the domain name), instead of just the first part of the email in front of the @-sign." 
 
You can read about this functionality at the following documenation URL:
https://docs.servicenow.com/bundle/jakarta-servicenow-platform/page/administer/notification/task/t_EnablingAutomaticUserCreation.html 
 
----

 

To disable the SAML Auto Provisioning process, admins can un-check the "Enable Auto importing of users from all identity providers into the user table" on the Multi-Provider SSO > Properties page, as well as the "Auto Provisioning User" checkbox found on each Identity Provider page. It is important to note that the SAML Auto Provisioning process can only be disabled if you are utilizing a separate LDAP import system for your users. If you are relying upon the SSO process to create your users and do not have a separate LDAP import process, you will need to leave these boxes checked. 
SAML Automatic User Provisioning documentation - https://docs.servicenow.com/bundle/kingston-platform-administration/page/integrate/saml/task/t_AdministerSAMLUserProvisioning.html
 
 
For the LDAP import process, users are auto-provisioned with "glide.ldap.user.autoprovision" set to true and "glide.ldap.authentication" are set to true.
LDAP Automatic User Provisioning documentation - https://docs.servicenow.com/bundle/kingston-platform-administration/page/integrate/ldap/task/t_AutoProvisionLDAPUsers.html
----
 
To verify how the guest account is creating your sys_user records, please check the above mentioned properties, as all four of them allow for automatic user record creation in the system which will cause some user records to show "Created by guest".:
-glide.pop3readerjob.create_caller
-glide.email.create_userid_from_email
-glide.ldap.user.autoprovision
-glide.authenticate.multisso.user.autoprovision
 
 

Additional Information

For situations where the "guest" account has updated user records, please see -- KB0683874

 

Article Information

Last Updated:2018-04-23 17:46:00
Published:2018-04-24