Default acl for REST API??

Sindhu B1 · ‎01-07-2019

Hi all ,

What is the default ACL for REST API??

Thanks,

Alikutty A · ‎01-07-2019

No by default, there are no ACLs and any users could execute it if they know the REST endpoint. Table API can access any tables but scripted APIs can only access those which your script allows in it.

View solution in original post

Alikutty A · ‎01-07-2019

Hello,

By default, if you have a user id and password, then REST API allows you to access any tables in Service Now if the instance ACLs allows them to access it. In order to achieve more security, the scripted REST APIs have included an additional level of security with the Default ACL's. You can create a new ACL for each of your externally facing APIs and the users can only access the API if they have a valid user id, password and the ACL specified in the API.

Please refer to link on how to set it up

https://docs.servicenow.com/bundle/london-application-development/page/integrate/custom-web-services/task/t_WbSvcRqACL.html

Thanks!

Sindhu B1 · ‎01-07-2019

Hi Ali,

Do you mean there is no default ACL for REST APIs right !! API can access any tables.

SaiRaviKiran Ak · ‎01-07-2019

All tables, including base system tables, global tables, and scoped tables are accessible via web services by default.

You must fulfill any other web service security requirements, such as basic authentication and ACLs to access tables via web services.

You can control direct web service access to tables using the Allow access to this table via web services check box on the table application access settings. This check box must be selected to allow web service interaction with the table.

Note: The application access fields controlling CRUD operations, such as Can read or Can create do not apply to web service requests.

Alikutty A · ‎01-07-2019

No by default, there are no ACLs and any users could execute it if they know the REST endpoint. Table API can access any tables but scripted APIs can only access those which your script allows in it.