REST API to fetch the list of users

lexicalunit · ‎01-17-2025

I'm building out a tool which can automate the process of creating a SN incident on behalf of a user. I first get the user's OAuth token to authorize REST API access. Now I'm able to, for example, create an incident on their behalf using a POST to the Table API.

So good so far!

Now let's say the user wants to be able to assign a user to the incident. First step: Get a list of possible users so that I can present that list in my tool.

The only way I can see to do this is to query the `sys_user` table. This works but... it seems like one of the fields that can be retrieved by this API is the 🚨🚨🚨 `user_password` 🚨🚨🚨 Oh no! This is not good. It would be a huge security risk to allow any user to just query another user's password, even if this data is hashed in some way (as it appears to be).

Is there a less dangerous way to get a list of users from the SN API?

SebastianKunzke · ‎01-19-2025

Normally the field "sys_user.user_password" is secured with a seperate ACL, that only admin can read this field. In my understanding your user, which you use to receive the Oauth token, should have only ITIL rights.

I assume you used an Admin user, to get your Oauth running. Because of that, you can receive the user_password field.

If you did not use the admin user, please verify the ACLs on the sys_user table.

View solution in original post

SebastianKunzke · ‎01-19-2025

Normally the field "sys_user.user_password" is secured with a seperate ACL, that only admin can read this field. In my understanding your user, which you use to receive the Oauth token, should have only ITIL rights.

I assume you used an Admin user, to get your Oauth running. Because of that, you can receive the user_password field.

If you did not use the admin user, please verify the ACLs on the sys_user table.

Ankur Bawiskar · ‎01-19-2025

@lexicalunit

user_password is 1 way hash encrypted and cannot be decrypted and used.

Even if you get value it cannot be used

So you need not worry.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

lexicalunit · ‎01-22-2025

Even if it's hashed, this would still be a massive security risk. Collecting enough hashes can expose the system to a straightforward cryptographic attack. Thankfully normal users do not have access to `user_password`.