Questions about ACL when server-side(Scripted REST API and Business Rule) read and write tables
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2023 10:29 PM - edited 04-11-2023 10:30 PM
gr['comments_and_work_notes'].getJournalEntry(-1);
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2023 10:43 PM
Hi, you might need to clarify the meaning of 'accessing the custom Scripted REST API in ServiceNow through an external system' as it sounds to me like you are using a user account to authenticate\access the instance via REST, in which case the user account access and visibility of data\records will be controlled by ACL and this has nothing to do with any server-side scripts observing (or not) ACL's
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2023 10:54 PM - edited 04-11-2023 10:56 PM
Thank you for your answer
I created a Scripted REST Resource、like this:
Receive JSON data from external systems and parse it.
Then update the data to the records by GlideRecord.
Do you mean that in this case, the account that sends HTTP requests from outside must have an ACL to access the data of the table?
But in my attempt, only the JournalList field ("Comments and Work Notes") requires roles, and other fields can be read and written normally without roles.
Even the fields set as the admin role in the ACL can be read and written. And the account I used for authentication does not have the required roles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2023 12:28 AM
I think there is some confusion as 1 minute your post mentions reading a value, yet elsewhere it is implied the issue is with writing and as you have not shared your code or any clear details of your configuration the forum has little to evaluate.
Your partial screenshot also shows an http POST method, yet the code content appears to indicate a query\GET
Perhaps you can provide clear details of your process, and your code in plain text.
I would also suggest that you test using PostMan or similar and OOB table API, to see if you encounter the same issue reading/writing directly to your reference record and also the sys_journal_field table.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2023 02:11 AM - edited 04-12-2023 02:18 AM
Sorry, this is a very simple code, so I didn't display everything. I have reset the simplest example.
table:Expanded Task without adding any additional fields
1.I created a new record and set the value in the "work_notes" field.
2.Query this record in the REST API and read the values of "number" and "Comments and Work Notes"
(function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
var tableName = 'x_925359_myscope_scope4';
var gr = new GlideRecord(tableName);
gr.addQuery('sys_id', 'acdf29971b0a6510afbbeca9bc4bcbb9');
gr.query();
gr.next();
gs.info("comments_and_work_notes:" + gr['comments_and_work_notes'].getJournalEntry(-1));
gs.info("number:" + gr['number']);
})(request, response);
3.Created a user without any roles
4.Use this user in Postman to send a request
5.Viewing logs in ServiceNow
Number read a value, but 'comments_and_work_notes' did not
6.Add "ITIL" and "x_925359_myscope.scope4_user" roles(Both roles must exist simultaneously, and if there is only one, the value cannot be obtained)
7.Send the request again through Postman and view it in the Log.
The value has been taken.
Perhaps I described too much additional information before, which caused confusion...
Actually, what I don't understand is why only this field requires additional roles to be read.
And the ACL that meets the requirements is not for the sys_journal_field, but for the Task table...
("sys_journal_field" read need "admin" or "sn_hr_sp.esc_admin" role , "task.comments_and_work_notes" read need "itil" role)
And when I want to read fields of the journal list type that are not from the task table("Comments and Work Notes"), but are created by myself(in x_925359_myscope_scope4 table),Can be read even without adding any roles..