"Read Only" fields can't be update via REST API?

carlh · ‎07-26-2016

Hello,

We have a nightly process that updates our CORE_COMPANY table with the latest data on our Accounting system tables.

Because we get this data from an external source, I want the fields we're updating to be read only to anyone (including Admin role). But, there are also fields that are on CORE_COMPANY table that are not on the source tables and I need people to be able to write to/edit those fields.

Do I need a client script or is there a way to set the ACL for each field?

Advice is appreciated.

Thank you

Carl

mrswann · ‎07-26-2016

you could allow rest_service role against the ACL, and uncheck admin override

yes, ACL works per field - if you want it to

test the back out of it!!

Chuck Tomasi · ‎07-26-2016

Hi Carl,

A client script won't do you any good if you are using an integration to update these fields. Client scripts only apply to the browser and are not the tightest security known to man.

One or more ACLs are required to make this happen securely.

Using Access Control Rules - ServiceNow Wiki

Security Best Practices - ServiceNow Wiki

Contextual Security - ServiceNow Wiki

carlh · ‎07-26-2016

We had one but there is an error on it. This was done by a vendor we hired.

I was thinking I'd add the user ID for the service account here but do I need need the condition?

Chuck Tomasi · ‎07-26-2016

For simplicity and performance, the roles can be put in the "Roles" embedded list

The part after && can be placed in the conditions field above as;

Vendor | is | true

The service account may have to go in the script area, but that gets "AND"ed with the other two fields. For that, I would add another ACL that just calls out the service account explicitly.

gs.getUseriD() == 'SYS_ID_OF_SERVICE_ACCOUNT'; // service account