Help with ACL

VirendraKuD
Tera Contributor

yesterday - last edited yesterday

Hi Team,

 

I have created one custom role, and I want to provide read and write access to this role for all tables in servicenow.

 

I have created scripted rest api. In Default ACL, I am using custom ACL:

Type: REST_endpoint

Operation: excute

Application: Custom application

Active: true

Decision Type: Allow if

Admin override: true

Protection Policy: None

Name: ACL for Custom API

Requires Role:

   - rest_api_explorer.

 

As informed by ServiceNow support, we should use other roles as well in ACL other than rest_api_explorer. So, planning to use custom role. I want to add custom role which has read and write access for all tables becuase scripted rest api has GlideRecordSecure. 

 

Thanks in advance

 

0 Helpfuls
  • 247 Views
7 REPLIES 7

Rafael Batistot
Tera Sage

yesterday

Hi @VirendraKuD 

 

Granting “read & write on all tables” to a single role is almost the same as giving admin.

 

  • This is not recommended unless you are working in a dev/test environment.
  • In production, best practice is least privilege: only grant access to the exact tables your Scripted REST API needs.

That said, let me explain better the  possible approach

 

If you want your custom role (say, x_custom.api_user) to only access the tables your REST API needs:

 

  1. Go to System Security > Access Control (ACL).
  2. Create ACLs for each table (and operation: read, write, create, delete).
  3. Add your custom role to Requires Role.
    • Example: incident.read → Requires role = x_custom.api_user.
    • Example: incident.write → Requires role = x_custom.api_user.
  4. In your Scripted REST API, assign this role (x_custom.api_user) to the resource.

This way, your role can only touch the needed tables.

0 Helpfuls

VirendraKuD
Tera Contributor
In response to Rafael Batistot

yesterday

Hi @Rafael Batistot 

 

Can I create these ACLs in scoped application. Because I have one system table - sys_translated. Can I create read role for this table from scoped app.

 

Thanks

0 Helpfuls

Rafael Batistot
Tera Sage
In response to VirendraKuD

9 hours ago

@VirendraKuD 

 

Scoped applications can create ACLs only for tables in their own scope (e.g., x_yourapp_table).

If you try to create an ACL in your scoped app for a system/global table (like sys_translated, sys_user, incident, etc.), ServiceNow won’t let you — those ACLs live in the global scope.

Why? Scoped apps are meant to be modular and not interfere with global/system security.

Only global ACLs can control access to system tables.

 

 

0 Helpfuls

Ravi Gaurav
Giga Sage
Giga Sage

9 hours ago

Hi @VirendraKuD 

  • ServiceNow doesn’t allow you to simply “give a role access to all tables” with one click.

  • By default, table security is enforced through ACL rules.

  • Since your Scripted REST API uses GlideRecordSecure, ACLs will always be checked

If your goal is:
“A custom role that can call my Scripted REST API and access specific data inside it”

Then:

  1. Create a custom role, e.g., x_myapp.api_user.

  2. Add that role to your REST Endpoint ACL (rest_endpoint ACL → Requires Role = x_myapp.api_user).

  3. Create table-level ACLs for each table the API needs to touch (incident, sc_task, cmdb_ci, etc.).

    • Read: x_myapp.api_user

    • Write: x_myapp.api_user

 

 

--------------------------------------------------------------------------------------------------------------------------


If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!

Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI

 YouTube: https://www.youtube.com/@learnservicenowwithravi
 LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
0 Helpfuls