O ACL for sys_user.user_password, Where Art Thou?

cgk · ‎01-03-2025

Hi,

I need to set passwords for users via REST API calls and I have developed a TableAPI and a scripted API both of which work if the user making the API call has 'admin 'role privileges.

In order to avoid assigning 'admin' privileges to an API called, I created a new role and assigned it 'write' privileges to the sys_user.user_password ACL entry but it is not working. What additional ACL entries do I need to configure for a new role to enable it to set user passwords?

Swapna Abburi · ‎01-03-2025

HI @cgk

Add "user_admin" role to the API user and try if it works.

cgk · ‎01-03-2025

Thank you Swapna. I did try user_admin and it does not work either. If you inspect the ACL entry sys_user.user_password you will notice that the only role listed is admin. The API fails even after i add the custom role user_custom_role to the list of roles.

Not sure what other ACL is colliding and preventing additional roles be added to set the user_password fields in the sys_user table.

Andrew_TND · ‎01-03-2025

Hi, have you tried amending your script logic on the API call.

Something like this….

var role = 'custom_role'; // Your new role
    if (!gs.hasRole(role)) {
        response.setStatus(403);
        response.setBody({ error: 'DENIED' }); //Or whatever message you want.
        return;

Please mark as helpful or if it’s resolved the issue, CORRECT!

Ankur Bawiskar · ‎01-03-2025

@cgk

please share your scripted rest API script which is setting the password value

Also share how are you sending request for Table API to set the password value

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader