What is automatic user creation in ServiceNow?
ServiceNow offers an automated user creation feature using the System Property glide.pop3readerjob.create_caller. This property manages the creation of new users based on predefined user domains set by the System Administrator. This automation is particularly beneficial for seamlessly integrating external users into the platform, streamlining the process, saving time, and enhancing communication within the portal.
Administrators have the ability to configure an email property for the automatic creation of users through incoming emails. This involves the administrator providing a list of trusted domains to ensure that only users from these domains are automatically created.
Why is this an issue?
While this automation brings numerous benefits, it also poses potential security threats. Malicious actors could exploit this feature to engage in email spam, unauthorized user creation, and create issues with licensing.
Additionally, depending on the instance size, filtering may become challenging even with the added layer of trusted domains.
How do I fix it?
To fix this issue, it is necessary to set the glide.pop3readerjob.create_caller property to false in the Email Properties. To do so, follow these steps:
In the Filter Navigator, go to System Properties > Email Properties.
On the list view, look for "Automatically create users for incoming emails from trusted domains?" and uncheck the box.
Now, with the property glide.pop3readerjob.create_caller configured as false, the instance executes inbound actions from users who do not correspond to an existing user by assuming the identity as a Guest User.