- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2018 03:14 PM
So, I created a local ServiceNow user that has the snc_platform_rest_api_access role.
Here's the deal... if I give this URL to someone:
MYINSTANCE.service-now.com/api/now/table/incident?
sysparm_display_value=all&
sysparm_exclude_reference_link=true&
sysparm_fields=u_vsts_bug_number%2Cnumber%2Ccaller_id%2Cbusiness_service%2Cimpact%2Copened_at%2Cpriority%2Cassignment_group
and then provide them with the local api account username/password, that user can edit the URL to pull back all other fields too. Heck, they can simply type
MYINSTANCE.service-now.com/api/now/table/incident?sysparm_display_value=alland pull back all records.
So, how can I force (restrict) what they're able to pull back? I only want them to pull back the exact fields that I allow.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 11:49 AM
I got it figured out using a scripted rest api. I have the access targeted to the exact table and fields as needed, all without having to edit/create a single ACL rule. I would share the process but it would deserve its own write-up with screenshots and code examples, but it's dynamic and can be used anywhere I need this type of functionality. Thanks for allowing me to talk this out and eventually figuring it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2018 03:25 PM
Yes, that's what I was really wondering about too.. scripted API. I've built a ton of them for some automation projects I've done before. I was actually wondering if I could create a scripted API and then give access to THAT.. via api. lol
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2018 06:47 PM
Just checking on on this one. Has this question been answered or is there more information I can help you with? If it's been answered, please mark the answer above as the correct one so people know this has been taken care of. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2018 11:49 AM
I got it figured out using a scripted rest api. I have the access targeted to the exact table and fields as needed, all without having to edit/create a single ACL rule. I would share the process but it would deserve its own write-up with screenshots and code examples, but it's dynamic and can be used anywhere I need this type of functionality. Thanks for allowing me to talk this out and eventually figuring it out.
