Impersonation in Scripted REST APIs is not working as expected
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2023 07:20 AM
Hello,
We have an integration between ServiceNow and a chat application inside of our organization.
Currently the integration connects to both sides (chat and ServiceNow) with the API, the connection to ServiceNow API is using admin credentials therefore any user that uses the integrated chatbot that we built can access any resource the chatbot offers.
We want to add security layer which will limit users to access only the resources which they have permissions to access in ServiceNow according to their roles.
We don't want the users to provide their ServiceNow credentials to use the API on behalf of them as it would not be secure to save their credentials on our end.
Therefore the implementation we are trying to achieve is to create a Scripted REST API which will act kind of a as classifying gateway to the resource by sending the requesting user ID in the request headers of the scripted REST API and then impersonate the user in the script and getting the resource on behalf on the user and based on it's permissions the Scripted REST API will return in the response only the data that the impersonated user have access to.
We tried creating this and succeeded to impersonate the user with
var impUser = new GlideImpersonate();
impUser.impersonate("test");
OR with
var myUser = gs.getSession().impersonate('test');
and after the impersonation command we tried retrieving the data with GlideRecord with a user with insufficient permissions to access this incident and we still got a response of this incident which the impersonated user does not have access to, meaning the impersonation does not prevent for GlideRecord to get the resources event though the user does not have access to it.
// Query for the user data that the requesting user has access to
var now_GR = new GlideRecord('incident');
now_GR.addQuery('number', 'INC0010081');
now_GR.query();
while(now_GR.next()) {
gs.log(now_GR.number + ' exists');
}
What do you suggest to accomplish this type of classification or other implementation which will help us to classify the resources to role based permissions
Thank you and best regards,
lion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-22-2024 03:26 PM
Hi Lion,
I am running into similar issue. Did you manage to fix it. Any suggestions are highly appreciated.
Thanks,
Sowmya
