Allow Only admin Role Users to Login to an Instance (For Example During a Maintenance Window)DescriptionSome customers have requested a way to set an instance to allow only local (sys_user table) users with the admin role to login. This is usually done to enforce a maintenance window where normal users of the system are unable to get in for a period of time until the maintenance activities are complete.Release or EnvironmentAll current Servicenow releasesResolutionTo prevent users logging in via Single Sign On go to Multi-Provider SSO->Administration->Properties, untick 'Enable multiple provider SSO' and save. Then to prevent local (User[sys_user] table and LDAP) users who do not have the admin role from logging in you can do: Open the out-of-box (OOB) Login Installation Exit:https://INSTANCENAME.service-now.com/nav_to.do?uri=sys_installation_exit.do?sys_id=7cfa46450a0a0aa90056aa3101b0bd7cExport this record as XML, save the XML file somewhere you won't lose it as you'll need it to undo these changes later and restore instance access for all usersChange the Installation Exit to add this content starting at line 14 (Rome version) OR replace the entire record with the full content under ALTERNATIVE below: if (GlideStringUtil.notNil(userName)) { var authed = user.authenticate(userName, userPassword); var sysUsrGr = GlideRecord('sys_user'); var sysUserRoleGr = GlideRecord('sys_user_has_role'); sysUsrGr.get('user_name', userName); sysUserRoleGr.get('user',sysUsrGr.sys_id); adminUser = false; while(sysUserRoleGr.next()) { if (sysUserRoleGr.role.sys_id == '2831a114c611228501d4ea6c309d626d') // the OOB admin role has sys_id 2831a114c611228501d4ea6c309d626d { adminUser = true; } } if (authed && adminUser) return user.getUser(userName); ALTERNATIVE: Replace the entire existing Script with this content: gs.include("PrototypeServer"); var Login = Class.create(); Login.prototype = { initialize : function() { }, process : function() { // the request is passed in as a global var userName = request.getParameter("user_name"); var userPassword = request.getParameter("user_password"); var user = GlideUser; if (GlideStringUtil.notNil(userName)) { var authed = user.authenticate(userName, userPassword); var sysUsrGr = GlideRecord('sys_user'); var sysUserRoleGr = GlideRecord('sys_user_has_role'); sysUsrGr.get('user_name', userName); sysUserRoleGr.get('user',sysUsrGr.sys_id); adminUser = false; while(sysUserRoleGr.next()) { if (sysUserRoleGr.role.sys_id == '2831a114c611228501d4ea6c309d626d') // the OOB admin role has sys_id 2831a114c611228501d4ea6c309d626d { adminUser = true; } } if (authed && adminUser) return user.getUser(userName); } else if (SNC.AuthenticationHelper.isMutualAuth()) { var userLoginName = user.authenticateMutualAuthToken(); if (userLoginName != null) { return user.getUser(userLoginName); } } this.loginFailed(); return "login.failed"; }, loginFailed: function() { if (GlideController.exists("glide.ldap.error.connection")) { var ldapConnError = GlideController.getGlobal("glide.ldap.error.connection"); if (GlideStringUtil.notNil(ldapConnError)) GlideSession.get().addErrorMessage(ldapConnError); } else if (request.getSession().getAttribute("glide.authenticate.local.login.method") == "certificate") { var message = GlideSysMessage.format("cert_login_invalid"); GlideSession.get().addErrorMessage(message); } else { var message = GlideSysMessage.format("login_invalid"); GlideSession.get().addErrorMessage(message); } } }Additional InformationServiceNow does not support custom scripts, including the above scripts/script modifications. All scripts in this article are suggestions only and customers should carefully test these customisations before deploying them. To re-enable user access to the instance just reverse the steps above - re-enable Multi-Provider SSO (if using that) and restore the original Login Installation Exit using the backup from step 2.