Hey @Rupa4 

In earlier versions, ServiceNow automatically applied a default ACL such as Scripted REST External Default behind the scenes. In Zurich and later, you must explicitly select a Default ACL to ensure proper access control.

What you should do

For your ebonding integration:

• Navigate to your Scripted REST API record
• Open the Security tab
• In the Default ACLs field, select
  Scripted REST External Default
• Click Update

Why this is required

The Default ACL is used when:

    Requires authentication is enabled

    Requires ACL authorization is enabled

    No resource-level ACL is defined

This ensures that at least one ACL is evaluated before granting access.

Approach

Specific to your use case

1. Since this is an external ebonding integration:
2. Use Scripted REST External Default
3. Use a dedicated integration user (with minimal roles)
4. Enable authentication (Basic or OAuth)

General best practice

1. Do not rely only on Default ACLs. For better control:
2. Create resource-level ACLs for your API
3. Restrict access using roles like x_company_integration_user
4. Add conditions or script-based validation if needed

Example ACL script:

answer = gs.hasRole('x_company_integration_user');

***************************************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh

Servicenow Developer
Linkedin - https://www.linkedin.com/in/vaishali-singh-2273361bb

Hello Rupa,

For most bidirectional or inbound ebonding scenarios, it’s advisable to select "Require Authentication" as the Default ACLs setting. Ensure your integration user, which acts as the remote system’s service account, has:

- A dedicated role (e.g., x_your_scope.ebonding_user) or a relevant baseline role like itil, scoped to the needs of your application.

- Write access to your target table (such as incident, change_request, or a custom ebonding staging table).

- Optionally, resource-level ACLs to restrict which endpoints the service account can access.

**Step-by-Step Guide to Creating the Scripted REST API in Zurich**

1. Navigate to System Web Services → Scripted REST APIs → New.

2. Complete the required fields:

- Name (e.g., "EBonding Incident API")

- API ID (auto-populated, editable)

- Application (choose your scoped app or Global)

- Default ACLs (select "Require Authentication"; this is now mandatory)

3. Save the API header record.

4. Under the Resources tab, create a new resource:

- Name (e.g., "createOrUpdate")

- HTTP Method (POST for creating, PUT for updating)

- Relative Path (e.g., /sync)

- Script (insert your handler script)

**Minimal Resource Script Template Example**

The handler script should validate incoming data, check for required fields, update existing records if they exist, or create new ones as needed. The script also returns appropriate status codes and messages to the caller.

**Scoped Application Considerations**

If your Scripted REST API is part of a scoped application, verify that Application Access is set appropriately (either for all application scopes or limited to your own). Additionally, confirm that the integration service account is granted the scoped app’s role, as global roles may not suffice under Zurich’s stricter access controls.

Ultimately, Zurich’s requirement for explicit ACLs is designed to prevent inadvertent exposure of APIs. 

Hi @Rupa4 

With the Zurich release, the Default ACLs field for Scripted REST APIs is now mandatory, ensuring integrations follow a secure-by-default approach.

This change helps prevent custom endpoints from being exposed without proper authorization.\

Scripted REST API roles