Minimal privilege REST table API CRUD

Mikael Karlsson · ‎10-20-2024

Hi, i would like to allow a certain integration account to use the REST Table API to create and manipulate data in a scoped app table without having access to other tables in the platform. This seems more problematic than it would seem.

The app has a role created for managing the table, CRUD permissions are allowed on table level.

We use explicit roles so users and service accounts must also have either snc_internal or snc_external role assigned, if we assign snc_internal then unnecessary read-access to many tables exists.

If we use snc_external we get a strange behavior where reading the table is allowed, creating records looks like it's succeeding with HTTP 200, but the only thing populated on the record is the system fields: sys_id,sys_created_on,sys_created_by,sys_updated_on,sys_updated_by. All of my additional fields are ignored, as soon as snc_internal is instead used the same insert works fine.

Help me brainstorm where this behavior is coming from and how to accomplish what i need without granting more access.

Mikael Karlsson · ‎10-21-2024

I think i found a solution, if i grant a Create ACL for both the table record plus a table.* then it works as intended even with the snc_external role applied as well to the account. Both entries need to exist, if i only have the table level ACL then fields are not populated even though blank record is created, and if i only have the table.* acl then i get permission denied, but the combination does what i want.

View solution in original post

Ravi Chandra_K · ‎10-20-2024

Hello @Mikael Karlsson

Pls check the ACLs on the Table. There might be a rule which allows write access on table for SNC external.

Please mark the answer as helpful and correct if helped.

Kind Regards,

Ravi

Mikael Karlsson · ‎10-20-2024

Its my own custom app table. Read, create, write, delete granted to the custom role which the account has.

when account also has snc_external then no proper insert of all fields, when it has snc_internal then works as expected but too much other access.

Mikael Karlsson · ‎10-21-2024

I think i found a solution, if i grant a Create ACL for both the table record plus a table.* then it works as intended even with the snc_external role applied as well to the account. Both entries need to exist, if i only have the table level ACL then fields are not populated even though blank record is created, and if i only have the table.* acl then i get permission denied, but the combination does what i want.