Managing allow access to this table via web services

johnfeist
Mega Sage
Mega Sage

‎04-24-2018 03:35 PM

I'm new to this part of ServiceNow.  I will be setting up our first interaction via REST.  The documentation talks about using the allow access to this table via web services switch to help control what tables can be accessed.  That makes a lot of sense.  What I'm seeing is that by default the box is checked for the few tables I reviewed (incident, user, group, request).  I'd prefer to have them all set to off and only turn it on for those views and landing tables that will be involved in the REST dialogs.

Is there a mechanism for turning them all off or do I need to do that programmatically?  If I do that, are there any adverse side effects that I need to consider?

Thanks in advance for any information you can provide.

John

Hope that helps.

:{)

Helpful and Correct tags are appreciated and help others to find information faster
0 Helpfuls
  • 3,113 Views
2 REPLIES 2

Pradeep Sharma
ServiceNow Employee
ServiceNow Employee

‎04-28-2018 07:10 PM

Hello Johnfeist,

 

I would not recommend modifying for OOTB tables as there might be some apps shipped from ServiceNow interacting with those table via web services. In addition, if you have any custom integration setup it might break. Hence this would definitely require a good amount of analysis. For now, I can only think of 2 scenarios.

Also please note the user performing the query must have the correct permissions(ACL's) to access this table, even when this check box is selected. Hence the best way to secure table is via ACL's.

 

Please let me know if you have any questions.

 

Thanks,

Pradeep Sharma

johnfeist
Mega Sage
Mega Sage
In response to Pradeep Sharma

‎05-02-2018 08:27 AM

Thank you Pradeep.  You've confirmed what I suspected and why I asked first.

I've been working on setting up for REST dialogs against the incident table.  I got a PowerShell script from the REST Explorer to test access, etc.  Right now I just have it extracting an incident number to test functionality.

I've set up a separate user who is not a fulfiller.  I also created a role specific to this REST request which includes the rest_api_explorer and web_service_admn roles and assigned it to the user. I then built an ACL on incident that grants read to  incident.number based on the role I created.

So the question(s);

  • Am I going about setting up the ACLs correctly?
  • Do I need to create ACLs on tables which are referenced by incident (e.g. sys_user to give access to get the caller's name) or will dot walking let me into those?
  • I can extract data using my own credentials.  I'm the sys admin. When I try running the script where I just change the credentials to those of the user I created, I get a 401 unauthorized error.  Do I need to grant any other roles or have some license in place for that user?

Thank you in advance for any insights, information or references you can provide.

I hope to get the chance to meet you at Knowledge.

John

Hope that helps.

:{)

Helpful and Correct tags are appreciated and help others to find information faster
0 Helpfuls