Restrict ESS or non-role users from navigating to native UI by manipulating the URLDescriptionBased on the configurations defined in the SPEntryPage().getFirstPageURL() function, the user will be redirected to the portal or the native UI. However, if the end user tries to manipulate or modify the URL, they can view the same record in native UI view. For ex: Portal Link - https://XXXXX.service-now.com/sp?id=order_status&table=sc_request&sys_id=edc9b3bc1b2d381009486284bb4bcbc7 Now if the end user is manually modifying the URL as below: Native UI Link - https://XXXXX.service-now.com/sc_request.do&sys_id=edc9b3bc1b2d381009486284bb4bcbc7 or - https://XXXXX.service-now.com/sc_request.do?sys_id=edc9b3bc1b2d381009486284bb4bcbc7 The end user now sees the record in native UI view.Release or EnvironmentAll supported releasesCauseWhen the non-role OR ESS user clicks on a hyperlink that is embedded in a document/mail, and the URL is pointing to native UI, it redirects to the user portal view.However, when the user manually tries to manipulate the URL, it does not do the same thing.If the user hit an URL which points to the native UI, and if the user has access to the table/record, it will show the list in native UI view. The redirection does not happen here.ResolutionSystem does not seem to have control if the nav_to.do is missing from the URL.The native UI Link mentioned above do not have nav_to.do in the URL.If nav_to.do is present, system knows where to redirect based on the user role.Here we can implement a custom Global UI script as belowUI Type: DesktopGlobal = true addLoadEvent(function(){ if(!g_user.hasRoleExactly('itil') && document.URL.indexOf('.do')!= -1) { window.location='/sp'; } else {return}}); The script here checks if the user has 'itil' role or not. You can replace this role as per your business requirement.This is not a platform issue. The platform is working as expected here.Additional InformationThe UI script mentioned above is just an idea on how you can approach to mitigate this behavior.Further customization will be out of scope of support for the technical support department.Some additional custom validations ideas that you can try in the UI script to check if the URL is a portal URL or not:- Portal URLs will always have 'id='- Portal URLs do not have '.do' or '_list.do'- Use GlideAjax within the UI script to add more server side validations such as member of groups, company etc. Please keep in mind that server side queries can have performance impact on the instance. On how to use GlideAjax in UI script, Click here to know.