- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-19-2023 05:42 AM
Hi Experts,
I have a requirement to not allow user to insert/modify a particular field with rest API (not script Rest API, just table API) directly( means, via put, patch, post), but still allow read access, also allow the user's other action via rest API to trigger business rule to update/insert this particular field.(some kind of rea only access via rest API)
I could not figure out how to implement this, Does any one implement somethin similar or has any suggestions?
Is it possible?
Thanks lot!
Jerry
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-19-2023 09:03 PM
Hi @Community Alums
Again: The table API is following the existing ACLs. If you don't want a certain user to update a field, implement a field level ACL to restrict this.
Maik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-20-2023 09:19 PM
Hi @Community Alums
"If the user is not allowed to write on , say, this field A by ACL, do you think the user would be able to modify other field B which fires a business rule to update this field A? "
--> As far as I understand your requirement it should work exact that way.
Maik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-19-2023 01:48 PM
Maik,
It is also not about the record, it is about the one particular field we want to implement such control.
Thanks!
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-20-2023 01:47 PM
HI Maik,
That will NOT work since that will stop the business rule to update this field which fired by the user's modification of other field with the table API.
Any other ideal?
Thanks!
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-19-2023 04:06 PM
So, the question is whether it is possible to implement control over one particular field and not over the entire record via REST API.
Yes, it is possible to implement control over one particular field and not over the entire record via TABLE API. One way is to use the sysparm_fields parameter to specify a comma-delimited list of fields to include in the response. Alternatively, you can use dot-walking to access fields on related tables from a form, list, or script. For example, if you want to query the incident table for only the names of the callers, you can use this URL template:
https://YOURINSTANCENAME.service-now.com/api/now/v1/table/incident?sysparm_fields=caller_id.name
This will return a JSON object with only the caller_id.name field for each incident record. You can also use dot-walking in scripts to access or update fields on related tables. For more information on dot-walking, you can refer to this article
