How Authorization works in table REST APIs in ServiceNow?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2024 01:48 PM
Hello friends,
I would like to understand how user Authorization works in ServiceNow REST Table APIs. I was having impression that while querying ACLs are not honored, its only the Query or Query Business Rule filters the records based on defined condition as in case of GlideRecord vs GlideRecordSecure. But looks like this is not the case.
Please clarify and help me in understanding how Table REST APIs function.
Thanks,
Rahul
- Labels:
-
Architect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2024 10:42 PM
Hi @RahulY00040 ,
ACL will be always honored when you are doing any CRUD operation. If you are reading the data from table using GR then system first check whether you have access or not, if not then it will through an error like insufficient access and if you have access then 2nd check system will do query business rule.
-------------------------------------------------------------------------
If you found my response helpful, please consider selecting "Accept as Solution" and marking it as "Helpful." This not only supports me but also benefits the community.
Regards
Runjay Patel - ServiceNow Solution Architect
YouTube: https://www.youtube.com/@RunjayP
LinkedIn: https://www.linkedin.com/in/runjay
-------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2025 06:22 AM
Hi @Runjay Patel I dont think that while using GlideRecord(), ACLs are honored. They are when we do GlideRecordSecure(). So, I am checking to see if all (Table+Row level) ACLs are applied as part of REST API execution. Will keep you updated.
Thanks,
Rahul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2025 12:56 PM
@RahulY00040 wrote:Hello friends,
I would like to understand how user Authorization works in ServiceNow REST Table APIs. I was having impression that while querying ACLs are not honored, its only the Query or Query Business Rule filters the records based on defined condition as in case of GlideRecord vs GlideRecordSecure. But looks like this is not the case.
Please clarify and help me in understanding how Table REST APIs function.
Thanks,
Rahul
Hey!
In ServiceNow, Table REST APIs enforce Access Control Lists (ACLs) to control user access. ACLs check the user’s roles and conditions to decide if they can view or edit records and fields. If the user doesn’t meet the criteria, the request is denied. Additionally, Query Business Rules can further filter or modify the data returned by the API. This ensures secure and restricted access to data.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2025 06:20 AM
Thanks for your response @lastreaction122 . When we say ACLs, all ACLs are applied before returning the data. I mean row level ACLs are also applied in addition to table level ACLs. I am going to check.
Also, what's order of processing:
1. ACLs first or Query Before Business Rule- My understanding is it only checks ACL at table level first (similar to canRead()) and then applies the QBR. If this is the case, how about row level ACL, when is it applied ?
Thanks,
Rahul
