- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2019 01:21 AM
Hi All,
Just want to confirm that i'm right in thinking that there are very limited controls on access to the platform REST API's?
From my limited testing it seems like a user without any role can access the table POST API to create a record and a user with the standard itil role can access the GET API and this bypasses any before query rules.
Can anyone confirm this? It seems strange to me that the API access is just completely open by default. It shouldn't be too difficult to lock it down but it's going to be a pain testing it out to ensure i don't break any of my integrations!
Cheers
Dave
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2019 01:53 AM
snc_platform_rest_api_access tihs is the new role which has deprecated rest_service role I guess from K release/
Yes, documentation says that system forces the ACLs by default which is correct, however there is one NOTE provided in documentation, I am just trying to understand whether your behavior is something related to below note. Not sure whether you have REST API ACL activated in your instance or not
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2019 01:29 AM
Hi David,
1) You require to have atleast web services related role to create or access any TABLE API in the system, so I am not sure what do you mean by "any user without any role" can create a record, this does not sound right
2) Query business rule will be respected even for GET API, it depends on the CONTEXT of the integration user, if integration user happens to have access to records via query business rule, user will get access record details wont be available
Note: Please mark reply as correct if it has answered your question or mark it has helpful if it has assisted you to certain extent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2019 01:38 AM
Hi Deepak,
So i confirmed my before query rules all include gs.isInteractive() in the condiitions so that explains the GET call bypassing them.
I created a user without any roles and tested POST and i can create incident records using the table API.
I had pretty much assumed that in order to access any of the platform REST API's you'd need to have a specific role, it looks like that's what the snc_platform_rest_api_access role is intended to do as per description below but it doesn't seem to be the case on my instance.
snc_platform_rest_api_access
Allows access to Platform Rest APIs
- Table API
- Import Set API
- Aggregate API
- Attachment API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2019 01:53 AM
snc_platform_rest_api_access tihs is the new role which has deprecated rest_service role I guess from K release/
Yes, documentation says that system forces the ACLs by default which is correct, however there is one NOTE provided in documentation, I am just trying to understand whether your behavior is something related to below note. Not sure whether you have REST API ACL activated in your instance or not
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2019 02:31 AM
Aha! Yes, the table API ACL is inactive on my instance so i guess i just have to activate that ACL and assign that role to all my webservice users. Thanks for your help Deepak.
