REST_endpoint acl

Tim34
Tera Contributor

‎04-13-2022 09:18 AM

We have a REST_endpoint acl that is only allowing read operations on the Table API. We are able to accomplish this by using the scripting option in the ACL. However, we want to only allow comments to be made on the sc_req_item table (while making everything else read-only).

If I do this at the table or field acl level (and not REST_endpoint), I don't know how to tell if it's coming from the TABLE api or not. And if we do it at the REST_endpoint level, I don't know how to tell if the update to sc_req_item table is only modifying the comment field.

Do you know how we can accomplish this? 

Labels:
0 Helpfuls
  • 2,845 Views
6 REPLIES 6

Pavel Zifcak1
Tera Contributor
In response to Pavel Zifcak1

‎12-06-2022 09:55 AM - edited ‎12-06-2022 09:57 AM

I think I have found a way for it.

 

  1. find the ACL rule of type REST_Endpoint named "Table API"
  2. make it Active
  3. set it as Advance, so the Script become available
  4. within the script extract the Method and URL from current (which is instance of com.glide.rest.domain.ServiceRequestImpl), and use them in your script accordingly your needs i.e.

 

var methodAndURL = String(current).split(" ");
var method = methodAndURL [0];
var url = methodAndURL [1];

method
GET

url
https://_instance_.service-now.com/api/now/table/_table_name_

 

Despite there is a lot of methods in the current, neither is available in the Script, except getClass I get the JavaException: java.lang.SecurityException: Illegal access to getter method getRequestParameterMap in class com.glide.rest.domain.ServiceRequestImpl

 

Community Alums
Not applicable

‎11-12-2024 07:02 PM - edited ‎11-12-2024 07:08 PM

Hi @Tim34,

I'm not sure if you've already found a solution for this, but we have discovered a workaround. As suggested by @Pavel Zifcak1 above,

  1. Locate the ACL rule of type REST_Endpoint named "Table API" and activate it.
  2. Check the "Advanced" checkbox.
  3. In your script, use the method gs.action.getGlideURI().
  4. This method will return the API endpoint being called, for example, api/now/table/incident?api=api.
  5. If you'd like to restrict access to the incident table, you can write something like this:

 

 

answer = getAccess();
function getAccess(){
var methodAndURL = gs.action.getGlideURI().toString();
if((methodAndURL.indexOf('incident') != -1){
return false;
}
else 
{
return true;
}
}

 

 

 

We were unable to find a way to restrict it method-wise, meaning the restriction should apply only to specific methods like GET, PUT, PATCH, etc.

 

Have a great day!