Questions about ACL when server-side(Scripted REST API and Business Rule) read and write tables

panda1
Kilo Guru

‎04-11-2023 10:29 PM - edited ‎04-11-2023 10:30 PM

I created a table (name : mytask )that extends the "Task" table.
I created a Scripted REST API to read and update the values of table records.
According to the following link, it indicates that server-side scripts are not affected by ACLs
But in my instance, accessing the custom Scripted REST API in ServiceNow through an external system.(The Authenticate user account only has the mytask_user role and no other roles)
When I read the value of the journal list type field( Task's "Comments and Work Notes") of the table in the Scripted REST API, I found a empty value.
But I can update his values by updating Work Notes
After checking the ACL of the task,read Task's "Comments and Work Notes" requires the ITIL role,After adding ITIL, I did read it normally, but it seems to be inconsistent with the description in the link above.
Moreover, it is strange that other fields such as the "Work Notes" field and the "description" field also require ITIL for reading and writing. However, in fact, in Rest Api, even if the authenticated account does not have this role, it can still be read and written normally. Only the "Comments and Work Notes"  can not be read.
I use this script to get value
gr['comments_and_work_notes'].getJournalEntry(-1);
 
Is this field special?Or the Scripted REST API does not belong to server side scripts?
Are there any other fields that need to comply with ACL even on server-side scripts
0 Helpfuls
  • 1,420 Views
9 REPLIES 9

Tony Chatfield1
Kilo Patron
In response to panda1

‎04-12-2023 02:58 PM

Hi, As I indicated earlier you appear to be trying to read records using POST method, where as I think you should be using GET.
Testing in a PDI, I have no issues POSTing an incident including  comment\work_notes field from Postman using an authenticated user who has only snc_internal role.

Note: at first authentication ServiceNow will apply snc_internal role to any user account without roles\any user account that does not nave snc_external role.

 

Using the base authentication snc_internal user I can also GET incident comments for the integration user but cannot return work_notes and this will be because of AC, but a non roled query to sys_journal_field will return the work_notes.

 

Perhaps you could start by reviewing the vendor documentation for REST\webservices

integration and access control

https://docs.servicenow.com/

and then ensure that you have base functionality working using OOB API's before moving to a custom solution.

This support article might also help you understand options for reading comments\work_notes from a task table

Retrieve Work Notes[work_note] and Additional Comments[comments] Using the REST Table API - Support ...

ServiceNow Community
ServiceNow Community
docs.servicenow.com/
Come explore deep dives and technical detail demonstrations with ServiceNow experts! Engage, Learn, and Share your knowledge on the ServiceNow Community. https://www.servicenow.com/community/
0 Helpfuls

panda1
Kilo Guru
In response to Tony Chatfield1

‎04-14-2023 02:39 AM

I use POST because the third-party system I use can only send POST type requests.

And this should not be related to Get or Post. I am not directly using the REST API provided by ServiceNow, but rather a custom REST API script.

I didn't just read the incident or task directly, but I customized a table to extend the Task table

"snc_internal" I cannot find this role in my dev instance.

Removing the snc_external and snc_internal roles roles from system added by the CSM Plugin - Support...

According to link , This requires activating CSM

I'm not sure if it's related to this But this requires a license, and it feels like it's unrelated

 

 

 

 

0 Helpfuls

Tony Chatfield1
Kilo Patron
In response to panda1

‎04-14-2023 03:08 AM

snc_internal is a result of the Explicit roles plug-in, it requires no license and your pdi must be quite old if this plug-in is not deployed by default.

As already suggested you should test/validate your access using OOB API’s. Once you have confirmed correct access for the account that you are using then you can focus on investigating any issues with you custom API.

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron

‎04-11-2023 11:04 PM

@panda1 

data for journal field is stored in sys_journal_field table

you need to check ACL on that table as well

 

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader

panda1
Kilo Guru
In response to Ankur Bawiskar

‎04-12-2023 12:29 AM

Thank you for your answer

"sys_journal_field" It seems to require the admin role,The admin role is normal, but based on my attempts, it is not necessary for the admin role to read journal type values

panda1_1-1681283493810.png

According to the ACL of the Task's "Comments and Work Notes",I added ITIL and everything became normal

panda1_2-1681283667081.png

My account only has itil and u_mytask_user(Automatically created role when creating tables) Role,With only these two roles, I can read and update normally.

Additionally, I attempted to create a new type journal list type field, name as u_list.

Do not use the "Comments and Work Notes" field of the parent table (Task),In this case, there is no itil, only _mytask_user can also read and write normally...For other types of fields, even without adding any roles to the account, they can be read and written normally.

I have seen GlideRecord belong to server-side scripts that seem to not comply with ACL and can directly read and write data..

However, for the "Comments and Work Notes" in the Task, it no longer works, but there are no errors. The value read is empty and can be modified through "Work Notes"(journal input field)..

This is too strange...I can't even find any reference materials

0 Helpfuls