How to prevent REST API from updating a field in Incident table

vidhya_mouli
Giga Sage

‎09-05-2024 08:26 AM - edited ‎09-05-2024 08:53 AM

I am new to using REST API

 

I have a requirement where I have to prevent REST API from updating assigned_to in the incident table via (when assigned_to is already present).

 

I wrote the following before BR:

 

 

(function executeRule(current, previous /*null when async*/ ) {
   
    gs.log("Business Rule Triggered - Interactive: " + gs.isInteractive() + ", Web Service: " + gs.getSession().isWebServiceSession());

    // Check if the 'Assigned to' field is being updated and if it already has a value
    if (current.assigned_to.changes() && !gs.nil(current.assigned_to)) {
        gs.log("Assigned to field is changing and has a value.");

        // Check if the request is coming from a web service or REST API
        if (gs.getSession().isWebServiceSession()) {
            gs.log("Request made from Web Service/API.");
            gs.addErrorMessage('You cannot update the "Assigned to" field via web services.');
            current.assigned_to = previous.assigned_to; // Revert to the previous value
        }
    }
})(current, previous);

 

 

However when I tested this via REST API explorer, BR is not getting triggered. How to resolve this and test it.

0 Helpfuls
  • 676 Views
2 REPLIES 2

Robbie
Kilo Patron
Kilo Patron

‎09-05-2024 08:32 AM

Hi @vidhya_mouli,

 

Is this a REST API that you have made available or that has been written on and available on your instance or the OOB (Out Of Box) table API?

Essentially, ACL's or Data Policies which are executed and blocked server side and can help you here.

 

You can implement a Data Policy on the specific field on the incident/task table or ACL where you can specify if Web Service Accounts or specific users can write to this field.

Let me know if you need more info or help - here's a link to Data Policies:

 

https://developer.servicenow.com/dev.do#!/learn/courses/washingtondc/app_store_learnv2_scripting_was...

 

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.



Thanks, Robbie

0 Helpfuls

Hajar BENJAHHAR
Mega Sage

‎09-05-2024 10:07 AM

Hello @vidhya_mouli , 

 

In the script shared, gs.getSession().isWebServiceSession() is returning an undefined value, which is casing the business rule to not working as you expect. 

 

If you need to prevent modifications to the Assigned to for all APIs, you can retrieve the user and verify if the Web Service Access Only is checked (true), if it's so the previous value of the assigned to will be the current value (as you did). 

 

For case where you want to restrict the modification of the Assigned to field for a specific API using the PUT or PATCH method, I suggest simply to omit the mapping of the assigned_to field. This approach is more straigtforward and efficient. 

 

Best regards, 

Hajar

 

 

0 Helpfuls