Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Restrict an Account Configured as Web Service Access Only to read a specific filter in User table

JR Oliver
Tera Contributor

‎09-03-2025 07:40 AM

Hi Everyone,

 

I have an account configured as Web Service Access Only.
I want this account to be able to have read only access in our User record with a specific filter e.g. AD Account Type = User

I created a custom role and added it to this account.

I also created an ACL 

Type: Record

Operation: Read

Decision Type: Allow if

Name: sys_user*

Role: The custom role that I created.

Data Condition: AD Account Type  = User.

 

However, I added the custom role to a new user(without any role), Impersonated it but I am still able to read All records in our User Table.

 

Appreciate your insights on this.

0 Helpfuls
  • 477 Views
1 REPLY 1

JenniferRah
Mega Sage
Mega Sage

‎09-04-2025 09:43 AM

As soon as you login as the new user, it will add the snc_internal role to that user, which is probably what is allowing it to read all the roles. You'll need to have a clean user (no roles) set up as Web service access only and then run a REST call as that user to fully test your ACL. 

 

Also, you will need a Read ACL for the record (sys_user) and for the fields (sys_user.*) if you want the user to be able to see the fields on the record.

0 Helpfuls