- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2021 03:31 PM
I am trying to restrict an account (sn.ebond.dev) to REST API access to custom staging table called u_ebond_incident_staging. The table (u_ebond_incident_staging) created the necessary roles and I toggled the "Allow access to this table via web service" to ON and the tables are accessible to all application scopes. When records are added to the staging table, the rows transformed into an incident record on the incident table. The transform also reads and writes to the u_ebond_data_mapping and u_ebond_relationship tables as needed.
I have granted the account the following roles as the transform on the u_ebond_incident_staging table touches these tables:
sn_incident_read
sn_incident_write
u_ebond_incident_staging
u_ebond_data_mapping
u_ebond_relationship
Now as a security precaution I had to turn on (activate) the ACL "Table API" to restrict any access to the Table API unless explicitly granted. With this step all REST calls return with 403 and the reason is ACL restricted access. To get around this 403 error I have to grant the user account the role snc_platform_rest_api_access. BUT, once this role is granted the account, the account then has access to all tables. So I am not sure how to restrict an account to only the table it's allowed to write too.
Solved! Go to Solution.
- Labels:
-
Service Portal Development
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2021 07:26 PM
I'll have to look at this more carefully. I think my issue is not understanding the ACL "Table API" ("Table API" is the name of the actual ACL in ServiceNow, I'm not refering to it in the generic sense) and activating it. As soon as I do, all REST API access is removed even though the account has explicit rights to the table in question. It appears that "Table API" ACL is a blanket ACL over all tables. If set the role associated with "Table API" see this KB that mentions it directly. It's not a well documented ACL. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0813159
It's not 100% clear.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2021 05:34 PM
Create a new role, add the api user to that role, and give that role access to the table it needs..
https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/contextual-security/concept/access-control-rules.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2021 07:27 PM
Thank you for your help. But this goes a bit deeper. I'm not sure if you get notified when I reply to someone else on the threads, so please see what I replied to Keiran.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2021 05:41 PM
Hi,
As it's an import set table have you considered using the Import Set API instead? You can then activate the Import Set ACL and in the role conditions add a custom ebonding role rather than using snc_platform_rest_api_access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-23-2021 07:26 PM
I'll have to look at this more carefully. I think my issue is not understanding the ACL "Table API" ("Table API" is the name of the actual ACL in ServiceNow, I'm not refering to it in the generic sense) and activating it. As soon as I do, all REST API access is removed even though the account has explicit rights to the table in question. It appears that "Table API" ACL is a blanket ACL over all tables. If set the role associated with "Table API" see this KB that mentions it directly. It's not a well documented ACL. https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0813159
It's not 100% clear.
