Questions about ACL when server-side(Scripted REST API and Business Rule) read and write tables

panda1
Kilo Guru

‎04-11-2023 10:29 PM - edited ‎04-11-2023 10:30 PM

I created a table (name : mytask )that extends the "Task" table.
I created a Scripted REST API to read and update the values of table records.
According to the following link, it indicates that server-side scripts are not affected by ACLs
But in my instance, accessing the custom Scripted REST API in ServiceNow through an external system.(The Authenticate user account only has the mytask_user role and no other roles)
When I read the value of the journal list type field( Task's "Comments and Work Notes") of the table in the Scripted REST API, I found a empty value.
But I can update his values by updating Work Notes
After checking the ACL of the task,read Task's "Comments and Work Notes" requires the ITIL role,After adding ITIL, I did read it normally, but it seems to be inconsistent with the description in the link above.
Moreover, it is strange that other fields such as the "Work Notes" field and the "description" field also require ITIL for reading and writing. However, in fact, in Rest Api, even if the authenticated account does not have this role, it can still be read and written normally. Only the "Comments and Work Notes"  can not be read.
I use this script to get value
gr['comments_and_work_notes'].getJournalEntry(-1);
 
Is this field special?Or the Scripted REST API does not belong to server side scripts?
Are there any other fields that need to comply with ACL even on server-side scripts
0 Helpfuls
  • 1,595 Views
9 REPLIES 9

Tony Chatfield1
Kilo Patron

‎04-11-2023 10:43 PM

Hi, you might need to clarify the meaning of 'accessing the custom Scripted REST API in ServiceNow through an external system' as it sounds to me like you are using a user account to authenticate\access the instance via REST, in which case the user account access and visibility of data\records will be controlled by ACL and this has nothing to do with any server-side scripts observing (or not) ACL's

panda1
Kilo Guru
In response to Tony Chatfield1

‎04-11-2023 10:54 PM - edited ‎04-11-2023 10:56 PM

Thank you for your answer

I created a Scripted REST Resource、like this:

panda1_0-1681278540356.png

Receive JSON data from external systems and parse it.

Then update the data to the records by GlideRecord.

Do you mean that in this case, the account that sends HTTP requests from outside must have an ACL to access the data of the table?

But in my attempt, only the JournalList field ("Comments and Work Notes") requires roles, and other fields can be read and written normally without roles.

Even the fields set as the admin role in the ACL can be read and written. And the account I used for authentication does not have the required roles

 

 

0 Helpfuls

Tony Chatfield1
Kilo Patron
In response to panda1

‎04-12-2023 12:28 AM

I think there is some confusion as 1 minute your post mentions reading a value, yet elsewhere it is implied the issue is with writing and as you have not shared your code or any clear details of your configuration the forum has little to evaluate.

Your partial screenshot also shows an http POST method, yet the code content appears to indicate a query\GET

Perhaps you can provide clear details of your process, and your code in plain text.

 

I would also suggest that you test using PostMan or similar and OOB table API, to see if you encounter the same issue reading/writing directly to your reference record and also the sys_journal_field table.

0 Helpfuls

panda1
Kilo Guru
In response to Tony Chatfield1

‎04-12-2023 02:11 AM - edited ‎04-12-2023 02:18 AM

Sorry, this is a very simple code, so I didn't display everything. I have reset the simplest example.

 

table:Expanded Task without adding any additional fields

panda1_6-1681289823741.png

 

1.I created a new record and  set the value in the "work_notes" field.

panda1_0-1681288815120.png

panda1_1-1681288968971.png

2.Query this record in the REST API and read the values of "number" and "Comments and Work Notes"

 

 

 

 

(function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
    var tableName = 'x_925359_myscope_scope4';
    var gr = new GlideRecord(tableName);
    gr.addQuery('sys_id', 'acdf29971b0a6510afbbeca9bc4bcbb9');
    gr.query();
    gr.next();
	gs.info("comments_and_work_notes:" + gr['comments_and_work_notes'].getJournalEntry(-1));
	gs.info("number:" + gr['number']);

})(request, response);

 

 

 

 

panda1_2-1681289350448.png

 

3.Created a user without any roles

panda1_3-1681289482606.png

4.Use this user in Postman to send a request

panda1_4-1681289573666.png

5.Viewing logs in ServiceNow

panda1_5-1681289662292.png

Number read a value, but 'comments_and_work_notes' did not

6.Add "ITIL" and "x_925359_myscope.scope4_user" roles(Both roles must exist simultaneously, and if there is only one, the value cannot be obtained)

panda1_7-1681289943136.png

7.Send the request again through Postman and view it in the Log.

panda1_8-1681290130682.png

The value has been taken.

Perhaps I described too much additional information before, which caused confusion...

 

Actually, what I don't understand is why only this field requires additional roles to be read.

And the ACL that meets the requirements is not for the sys_journal_field, but for the Task table...

("sys_journal_field" read need "admin" or "sn_hr_sp.esc_admin" role , "task.comments_and_work_notes" read need "itil" role)

And when I want to read fields of the journal list type that are not from the task table("Comments and Work Notes"), but are created by myself(in x_925359_myscope_scope4 table),Can be read even without adding any roles..

 

 

 

 

 

 

 

 

 

 

 

 

0 Helpfuls