REST Api call returns forbidden 403 for table "gs_entitlement_plugin_mapping"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-21-2022 01:00 AM
When I try to fetch records from the table "gs_entitlement_plugin_mapping", I get a response of forbidden 403:
REQUEST:
GET https://ven02248.service-now.com/api/now/v1/table/gs_entitlement_plugin_mapping?sysparm_limit=100
RESPONSE:
{
"error": {
"detail": "User is unauthorized to access table: gs_entitlement_plugin_mapping",
"message": "User Not Authorized"
},
"status": "failure",
"session": {
"debug_logs": []
}
}
I would like to understand the parameter on which the user is identified as unauthorized. And is there a way for me to get these parameter details over any REST call itself so that I can avoid making requests to such restricted tables.
Details I have checked:
I checked the mentioned table's ACLs, it doesn't have "maint" or "nobody" roles. The table is also marked for web access (ws_access=true).
(Considering the user I use has admin privileges I expect the table to be accessible, but it turns out to be unauthorized.)
Thanks,
KarthicKumar A
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-21-2022 01:13 AM
Try to open the table first in UI using gs_entitlement_plugin_mapping.LIST in left navigation. Verify if you have access to it in platform. My guess is, you wont have access to it and will get 'security constraints' error message. If that is indeed the case, try creating a read ACL for the table (gs_entitlement_plugin_mapping- none type) in question and see if that works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-21-2022 04:14 AM
Thank you for the input. It sounds right.
I am getting the 'security constraints' error message.
I would like to know how we may be able to query and learn that any given table will face 'security constraints' via a REST request?
Because I want to allow my client service which consumes ServiceNow's REST apis to be able to know this information beforehand, to avoid any failure due to unauthorization.
As of now my client service is checking if the tables are
1. Web service access enabled
2. Does not have "maint" and "nobody" as the only A
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-21-2022 04:49 AM
Viral,
From the uri, Table API is being used. With Table API, the access control is the same as the specified user accessing the table from the web page. That is, if the user can access from table from the web browser, API should be able to access the table too.
>I would like to know how we may be able to query and learn that any given table will face 'security constraints' via a REST request?
So to check if the API is able to query, login using the web browser to ServiceNow instance logging in using the user name that will be used in the API call. If the user is unable to access the table, API would also not be able to access that table. If the user is able to access that table, then the API should be able to access the table too using the same username.
Excerpt from ServiceNow documentation.
The user ID that you specify in a REST endpoint call is subject to access control in the same way as an interactive user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-21-2022 02:27 AM
Hi Viral,
How is API being invoked? Try opening the url from web browser. It'll probably ask to enter username and password. After entering username/password, see if the values are fetched.
If the values are retrieved, it usually implies the username/password is not properly set when making the REST API call. Ways to set username/password differ on how the API is invoked.
If it is being invoked from curl command, username and password may be included.
curl -u <replace with username>:<replace with password> https://ven02248.service-now.com/api/now/v1/table/gs_entitlement_plugin_mapping?sysparm_limit=100
If it is being called using JavaScript,
var requestBody = "";
var client=new XMLHttpRequest();
client.open("get","https://ven02248.service-now.com/api/now/v1/table/gs_entitlement_plugin_mapping?sysparm_limit=100");
client.setRequestHeader('Accept','application/json');
client.setRequestHeader('Content-Type','application/json');
var username = <username>;
var password = <password>;
client.setRequestHeader('Authorization', 'Basic '+btoa(username+':'+password));
client.onreadystatechange = function() {
if(this.readyState == this.DONE) {
document.getElementById("response").innerHTML=this.status + this.response;
}
};
client.send(requestBody);
