Have others removed any roles from the ITIL role? (example: snc_platform_rest_api_access')

GoBucks
Mega Sage

4 hours ago - last edited 4 hours ago

The ITIL role is a powerful role.  Out-of-the-box it actually contains MANY other roles as documented here:

https://www.servicenow.com/docs/r/platform-administration/user-administration/r_BaseSystemRoles.html

 

Has anyone chosen to remove some of those underlying roles from the ITIL role?

 

In particular, the one that concerns us is the snc_platform_rest_api_access role.  Does an ITIL user who is only ever in the UI really need this role?

 

My concern is that this role allows for any ITIL user to be able to interact with the platform external to the UI via APIs.  The description on the snc_platform_rest_api_access role states:

Allows access to Platform Rest APIs
- Table API
- Import Set API
- Aggregate API
- Attachment API

 

Is it safe to remove this role from the ITIL role?  I just don't know if this is inherent to underlying functionality the user needs within the UI, OR, is this for hitting API endpoints external to the UI? (the latter is what we don't want to grant to all our ITIL users.)

 

Labels:
0 Helpfuls
  • 194 Views
4 REPLIES 4

Chaitanya ILCR
Giga Patron

4 hours ago

Hi @GoBucks ,

 

similar post 

https://www.servicenow.com/community/developer-forum/will-removing-the-snc-platform-rest-api-access-...

 

I think it is just replacing the role rest_service and they would have included it with itil role so that the users don't have to provide this role explicitly to the integration accounts. as opposed to the rest_service which needed to be granted explicitly as it was not contained by any other roles and most of the organizations use the SSO and users might not be aware of their password and they won't use their password to call the APIs this could be the reason they would add it to itil

 

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Tanushree Maiti
Kilo Sage

4 hours ago - last edited 3 hours ago

snc_platform_rest_api_access role provides user access to all the Platform REST APIs.

If you remove mentioned role from ITIL , it means itil user would not be able to use the Rest API like Table API, import set API  any more.

 

Related post: https://www.servicenow.com/community/developer-forum/will-removing-the-snc-platform-rest-api-access-...

 

Note:  Check whether Mid server user having snc_platform_rest_api_access role post removing it from itil. otherwise mid server functionality would be impacted.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1650667

Please mark this response as Helpful & accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

Simon Hendery
Tera Patron

3 hours ago

Hi @GoBucks 

 

I'd suggest that removing one role from ITIL isn't the best way to approach this.

 

From a security, governance, and zero-trust perspective, it's better to only assign the ITIL role to those who absolutely need it, and assign a different role, or create a new (more restrictive) role for others who don't need full ITIL access.

 

Abusing API access is just one of many ways someone with the ITIL role could cause problems. 

AndersBGS
Tera Patron
In response to Simon Hendery

an hour ago

Hi @GoBucks 

 

Agree with @Simon Hendery  also due to I have had the same thoughts for a longer time. For now I rather see that you could create your own role with the granular ITIL roles (Incident_read, Incident_write) and so on.... The question will then be what the impact could be according to subscription management application etc.

 

I have not made a full conclusion yet, but if you have any suggestions here @Simon Hendery , I will be happy to hear them 🙂

 

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/