After an upgrade of a Walk-up Experience instance, the Walkup User (with sn_walkup.walkup_login role) is being assigned snc_internal instead of snc_external


Description

In Quebec, the Explicit Roles plugin was added as a dependency for the Walk-up Experience plugin.  This was done so that the Walk Up User would explicitly be an external user and not have access to the internal APIs and records of the instance.  Specifically, the Walk Up User was assigned the snc_external role and the sn_walkup.walkup_login role now contains the snc_external role.

For upgrades on an existing Walk Up Experience instance that are adding the Explicit Roles plugin for the first time, the existing Walk Up User will be first assigned the snc_internal role as all existing users are implicitly internal.  These security roles cannot be changed by a scoped app script, so a Known Error occurs in which the Walk Up user will be unable to access the /walkup service portal pages.

Steps to Reproduce

Activate the walkup plugin on an older release like Orlando or Paris that does not already have the Explicit Roles plugin.

Upgrade instance. This will upgrade Walk Up Experience plugin, and add Explicit Roles plugin for the first time.

Impersonate as Walkup User

Go to the /walkup portal

Security restraint no longer visible and can't access walkup login portal

Workaround

The simple workaround is documented at: https://docs.servicenow.com/csh?topicname=explicit-roles.html&version=latest

For the "Walk Up User" sys_user record:


Alternatively, a background script can be run in global scope.  Here is an example:

    var walkup_user = 'd4528d31b31013002186a72256a8dc4e'; // sys_id of Walkup User user
    var snc_internal_role = '7fcaa702933002009c8579b4f47ffbde'; // sys_id of snc_internal role
    var snc_external_role = '940ba702933002009c8579b4f47ffbe2'; // sys_id of snc_external role

    var role_int = new GlideRecord('sys_user_has_role');
    role_int.addQuery('user', walkup_user);
    role_int.addQuery('role', snc_internal_role);
    role_int.query();
    if (role_int.next())
        role_int.deleteRecord();

    var role_ext = new GlideRecord('sys_user_has_role');
    role_ext.addQuery('user', walkup_user);
    role_ext.addQuery('role', snc_external_role);
    role_ext.query();
    if (!role_ext.next()) {
        role_ext.initialize();
        role_ext.user = walkup_user;
        role_ext.role = snc_external_role;
        role_ext.insert();
    }



Related Problem: PRB1444143