Insufficient rights to query records via Aggregate API

andriyko
Giga Contributor

‎01-05-2016 05:17 AM

I am trying to fetch stats over the Task table with user that has rest_service role.

The request is:

GET /api/now/v1/stats/task?sysparm_limit=10&sysparm_query=sys_class_name=incident&sysparm_count=true&sysparm_group_by=priority

The response is:

{
  "error": {
  "message": "Insufficient rights to query records",
  "detail": "No permission to read table 'task'"
  },
  "status": "failure"
}

At the the same time the user is able to get (read) Incident(task) details.

From wiki Aggregate API - ServiceNow Wiki 

Access to tables via the REST API is restricted by BasicAuth and the rest_service role. ACLs defined for tables are enforced to restrict access to data.

There is no ACL rule for task table and read operation. So, why the user has no permissions to read table task? If I add an ACL rule to allow read operation for my custom role, it will break all others access.

0 Helpfuls
  • 2,991 Views
3 REPLIES 3

Brad Tilton
ServiceNow Employee
ServiceNow Employee

‎01-05-2016 07:51 AM

The rest_service role only allows access into the rest api, it doesn't affect the access to tables which has to be managed through access controls. You'll have to either edit the ACLs to give your custom role access to the task table or give your user a role that provides access.


andriyko
Giga Contributor
In response to Brad Tilton

‎01-05-2016 10:14 AM

That is what I was saying in the original post. User is able to read Task records, but cannot read stats on Task table. How is that possible if the same set of ACLs is applied? Also, by default there is no ACL rule for read operation on task table. So, once I add such rule for my role, other users fail to read task records due to my ACL.


0 Helpfuls

Brad Tilton
ServiceNow Employee
ServiceNow Employee
In response to andriyko

‎01-05-2016 11:02 AM

If a user doesn't have the itil role, their access to the task tables is pretty locked down by default. I would make sure you can login as that user and return the records you're looking for in a list first. In addition to ACLs you'll want to check query business rules.



ServiceNow's default security model is deny, so even thought the task table doesn't have a read acl, each of the tables extending task have read ACLs on them. Those should override a task ACL anyway so you could put one on task or add your role to the extended tables' ACLs.


0 Helpfuls