The scripted rest api will be run under which credential?

Lisa71 · yesterday

Will it be run under the system credential or caller credential? Or both are possible depends on the settings? what to indicate the settings?

What's the difference when I check the "requires authentication" "requires ACL authorization" in the scripted rest resource?

Thanks.

TejasSN_LogicX · 22 hours ago

Hi @Lisa71 ,

In a Scripted REST API, the script can run using either the system account or the user’s account, depending on the settings. If you select “Requires authentication,” the API needs valid user credentials, and the script runs as that user. If you also select “Requires ACL authorization,” ServiceNow will check the user’s table and field permissions (ACLs) before allowing access. If you only check “Requires authentication,” the script runs as the user but can still bypass ACLs. And if you don’t require authentication at all, the script runs as the system user and anyone can call it. In short, “Requires authentication” controls who is calling, while “Requires ACL authorization” controls what they can access.

View solution in original post

Chaitanya ILCR · 22 hours ago

Hi @Lisa71 ,

if credentials are password it will run as the user

If no authentication is required, the script runs in the context of a "Guest" user.

example

I have created a sample scripted rest api which creates an incident

called the api without credentials

when no credentials is opted it runs the api with Guest user permissions

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

View solution in original post

Ankur Bawiskar · 21 hours ago

@Lisa71

It will run in the session of that user whose credentials 3rd party is using, either Basic OR OAuth 2.0

If no credentials uses then as mentioned by @Chaitanya ILCR -> it is guest user (Not recommended practice)

Requires Authentication -> Blocks unauthenticated/anonymous access

Requires ACL Authorization -> Enforces ACL security on REST endpoint

💡 If my response helped, please mark it as correct ✅ and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

TejasSN_LogicX · 22 hours ago

Hi @Lisa71 ,

In a Scripted REST API, the script can run using either the system account or the user’s account, depending on the settings. If you select “Requires authentication,” the API needs valid user credentials, and the script runs as that user. If you also select “Requires ACL authorization,” ServiceNow will check the user’s table and field permissions (ACLs) before allowing access. If you only check “Requires authentication,” the script runs as the user but can still bypass ACLs. And if you don’t require authentication at all, the script runs as the system user and anyone can call it. In short, “Requires authentication” controls who is calling, while “Requires ACL authorization” controls what they can access.

Lisa71 · 19 hours ago

Thanks. So if "requires authentication" is Not checked, then the scripted rest api will be run under "system" privilege, means it can do anything with high privilege, right?

TejasSN_LogicX · 19 hours ago

Hi @Lisa71 ,

Exactly, but Always keep “Requires authentication” checked for APIs that access sensitive data.

If you found my solution helpful, please mark it as Helpful or Accepted Solution...!

thanks,

tejas

Email: adhalraotejas1018@gmail.com

LinkedIn: https://www.linkedin.com/in/tejas1018

Chaitanya ILCR · 22 hours ago

Hi @Lisa71 ,

if credentials are password it will run as the user

If no authentication is required, the script runs in the context of a "Guest" user.

example

I have created a sample scripted rest api which creates an incident

called the api without credentials

when no credentials is opted it runs the api with Guest user permissions

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya