Limiting access through REST with ACL

Go to solution
TylerTeter
Kilo Guru

‎04-08-2016 08:10 AM

My company is looking at allowing an external vendor to develop a plugin to interact with our instance to Service Now using the Table API with REST commands. However we clearly want to limit what data can be accessed via these REST commands for security concerns.

I've read on the wiki (Table API - ServiceNow Wiki) that to do this you must use ACL and that currently everything is open by default. I'm not too familiar with the specifics of ACL and how to use it to create a role per say that only allows certain tables to be accessed. Also another concern would be if I had to create new ACL roles every time I wanted to hook it up with another application. Is there are more generic solution or how easy is it to limit these accesses?

I feel I'm likely not the only one to have these concerns. If anyone has any ideas on the best way to solve this problem I'm all ears, thanks!

0 Helpfuls
  • 8,239 Views
1 ACCEPTED SOLUTION

Go to solution
Ken_Michelson
Kilo Guru

‎04-08-2016 09:10 AM

Tyler,



You may have been misinterpretting the wiki about "everything is open by default". Technically, everything is "accessible" by default, meaning that the API is defined for all tables, but the web service must still pass both user authentication, Data Policies, and ACLs to get to the data.



One way to think about this is that the API is just another point of entry. The web browser is a point of entry, and the mobile app is a point of entry. All three of these work in a similar fashion that you log in, and based on your user, you get roles, and have access to certain tables and data.   Even if you have NO access to a table, you can see that the table exists, but just not see any rows, or fields.



If you create an external_vendor role, and have it inherit ITIL, for example, then they could use the API to get access to everything that ITIL has access to. Obviously, I doubt that is what you want.



There are several approaches you could use here, but I would look into the default snc_external role that ServiceNow provides https://docs.servicenow.com/administer/contextual_security/task/t_ProvideExternalUsersAccessToTables... and then design what you want your vendors to access and why.



-Ken Michelson


View solution in original post

2 REPLIES 2

Go to solution
Ken_Michelson
Kilo Guru

‎04-08-2016 09:10 AM

Tyler,



You may have been misinterpretting the wiki about "everything is open by default". Technically, everything is "accessible" by default, meaning that the API is defined for all tables, but the web service must still pass both user authentication, Data Policies, and ACLs to get to the data.



One way to think about this is that the API is just another point of entry. The web browser is a point of entry, and the mobile app is a point of entry. All three of these work in a similar fashion that you log in, and based on your user, you get roles, and have access to certain tables and data.   Even if you have NO access to a table, you can see that the table exists, but just not see any rows, or fields.



If you create an external_vendor role, and have it inherit ITIL, for example, then they could use the API to get access to everything that ITIL has access to. Obviously, I doubt that is what you want.



There are several approaches you could use here, but I would look into the default snc_external role that ServiceNow provides https://docs.servicenow.com/administer/contextual_security/task/t_ProvideExternalUsersAccessToTables... and then design what you want your vendors to access and why.



-Ken Michelson


Go to solution
TylerTeter
Kilo Guru
In response to Ken_Michelson

‎04-08-2016 09:42 AM

Ken,



You're correct and that's a very important distinction to make. It's accessible only when passes the request passes authentication and has roles to pass the ACLs to get to the data. The distinction I was mainly trying to make was handing out master keys to everything versus handing out a key that can only open certain tables.



That is a good way to think about it, it seems to suggest from the wiki that the API point of entry is handled slightly differently from the other entry points. In terms of some of the authentication, but it is probably still pretty close .



Making an external_vendor role sounds like a fantastic idea giving it only access to certain tables. I think I'm going to dig into that and see what kind of rules I can make to do what I want.



Thank you!



Although it probably isn't as thorough as manually creating ACLs, I found where Roles could be assigned to specific applications which may solve my problem also. Creating Roles - ServiceNow Wiki


0 Helpfuls