ACL Exception Delete Failed due to security constraints (sys_user_grmember, sys_user_has_role)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-06-2023 05:06 AM - edited ‎11-06-2023 05:45 AM
Hey guys!
I would like to ask you a question, I have a user who has the role "user_admin" and "sn_si.manager", which are the ACL roles that allow a user to perform a DELETE on sys_user_grmember and sys_user_has_role (my understanding). However, when I try to make a DELETE request through the Table API, I receive the following response when the sys_id sent in the request is from a group or user that contains the role "itil". Here's the response:
HTTP StatusCode: 403
{
"error": {
"message": "Operation Failed",
"detail": "ACL Exception Delete Failed due to security constraints"
},
"status": "failure"
}
Do you know what it could be? Even if I add the role "itil" and "itil_admin" to the request user, the error continues to occur.
Note: There are no other DELETE ACLs for these tables that are active.
Edit:
I just understood that the user I'm getting the error under is the Sailpoint Connector service account (https://documentation.sailpoint.com/connectors/identityiq/servicenow/igc/help/integrating_snow_ident...), it just originally contained the roles created for the ACLs created to satisfy this user, in the sys_user_grmember and sys_user_has_role tables. Since it was working correctly a few weeks ago. And nothing was changed in the user, in their roles and in the ACLs of these tables. No new ACLs were created.
I even looked at the troubleshooting available in the connector documentation and the configuration was already correct: https://documentation.sailpoint.com/connectors/identityiq/servicenow/igc/help/integrating_snow_ident...
I think I'm seeing the same error described in this other post: https://www.servicenow.com/community/developer-forum/sailpoint-identity-governance-getting-403-respo...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-06-2023 05:26 AM
Hi Vinicius,
For deleting from sys_user_has_role you will need to change the Inherited to False and then try attempt deletion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-06-2023 05:46 AM
Don't work 😕 I update description of my issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-06-2023 05:37 AM
the API user you are using should satisfy the table level DELETE ACL
When you test the Table API using admin what it shows?
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-06-2023 05:43 AM
@Ankur Bawiskar, it works with the admin user. I just understood that the user I'm getting the error under is the Sailpoint Connector service account (https://documentation.sailpoint.com/connectors/identityiq/servicenow/igc/help/integrating_snow_ident...), it just originally contained the roles created for the ACLs created to satisfy this user, in the sys_user_grmember and sys_user_has_role tables. Since it was working correctly a few weeks ago. And nothing was changed in the user, in their roles and in the ACLs of these tables. No new ACLs were created.
I even looked at the troubleshooting available in the connector documentation and the configuration was already correct: https://documentation.sailpoint.com/connectors/identityiq/servicenow/igc/help/integrating_snow_ident...
