Service Catalog API - how can I control which catalog items an API can submit?

Jeff316 · ‎11-12-2018

We have an internal IT group that wants to submit catalog requests (for existing catalog items) using the API. We want to be able to control which catalog items they can submit. Ideally we would like to do that per the User ID we give them so maybe it can follow the User Criteria applied to each catalog item? Such as SC_API_USER has access to 7 of 10 catalog items. If that's not possible how to we control what they do with that Service Catalog API at the record level to what they can see with it?

Jeff316 · ‎11-15-2018

When I read the doc, it talks about setting the API itself to require ACL authorization but those fields are all read-only, as you stated.

I saw one post by Chuck Tomasi about using the ACL for type = "end_point" but in that particular post he didn't know how it was used.

Navigate to System Web Services > Scripted REST APIs.
Select a scripted REST API record.
In the Resources related list, select a resource.
In the Security tab, select the Requires authentication check box.
This check box must be selected to require an ACL. Clear this check box to allow unauthenticated requests to access the resource, even if the parent REST service requires an ACL.
Select the Requires ACL authorization check box.
In the ACL field, select one or more ACLs that have a Type value of REST_Endpoint.
Selecting an ACL for an resource overrides any ACLs selected for the parent web service. Leave this field blank to use the ACLs selected for the parent web service.

Jeff316 · ‎11-15-2018

Maybe I'm getting close?

Jeff316 · ‎11-15-2018

Don't know what this means but the Scripted Rest API for List Query DOES let you assign ACL where the one for Service Catalog does NOT.

Jeff316 · ‎11-13-2018

This is going to be a long day.
Everything I read in the docs does not work.
I can't modify anything just to do a little trial and error.
I can't disable anything to see if I can even affect anything.