O ACL for sys_user.user_password, Where Art Thou?

cgk
Tera Contributor

‎01-03-2025 11:53 AM

Hi,

I need to set passwords for users via REST API calls and I have developed a TableAPI and a scripted API both of which work if the user making the API call has 'admin 'role privileges.

In order to avoid assigning 'admin' privileges to an API called, I created a new role and assigned it 'write' privileges to the sys_user.user_password ACL entry but it is not working.  What additional ACL entries do I need to configure for a new role to enable it to set user passwords?

0 Helpfuls
  • 686 Views
7 REPLIES 7

cgk
Tera Contributor
In response to Ankur Bawiskar

‎01-04-2025 10:43 AM

Hi Ankur,

 

Scripted API code snippet:

var usr = new GlideRecordSecure('sys_user');
    usr.addQuery('sys_id',request.pathParams.sys_id);
    usr.query();
    if (usr.next()) {
        // check if user is active (active) and if user is a service account (web_service_access_only)
        if (usr.active && usr.web_service_access_only) {
            usr.setDisplayValue('user_password', requestData.user_password);
            usr.update();
        } else {
            return new sn_ws_err.BadRequestError(gs.getMessage("service account not active or not flagged as web service access only"));
        }

 

TableAPI call:

https://{{base_url}}/api/now/table/sys_user/{{user_sys_id}}?sysparm_input_display_value=true

 

Both calls only work if the user had 'admin' role.  Below are both ACLs (OOB and Custom)

 

OOB

cgk_1-1736016034572.png

 

Custom ACL

cgk_2-1736016060582.png

 

 

 

 

 

 

What other ACLs must I add/update to the custom ACL to make these calls work?

 

 

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to cgk

‎01-04-2025 07:07 PM

@cgk 

with that non admin are you able to create record without password field?

that non-admin API user should also have table level table.None WRITE access without which it can't create record and hence can't set the field as well.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

ChrisBurks
Mega Sage

‎01-05-2025 09:39 PM

@cgk

Did you add the custom role to both the read and write ACL for the sys_user.user_password? By the looks of your screenshot, it appears to only be the write ACL.

You would think that giving the write permission would allow it to write but both read and write need to be applied if you haven't done so already.

0 Helpfuls