SOAP Scripted Web Service - Security

maddyroberts
Kilo Contributor

‎12-16-2016 08:24 AM

HI,

I'm having a play around with SOAP scripted web services and am a bit confused by the security side of things.

In our test environment i've created a user and given them all the SOAP roles.

I created a simple scripted web service which requires you to input a request number - it then queries a table that i've specified and returns a couple of outputs.

We have strict security enabled.

When i test the service using SoapUI I get a response and it returns results for me - which is good - except that the user i'm using to authenticate with only has SOAP roles and does not have or should not have access via ACLs on the table that I'm querying - so I wouldn't expect it to be able to give me any results ? Am i correct in thinking that if strict security enabled then ACLs will come into play - or just by having SOAP roles does that give the access ?

Thanks

Maddy

Labels:
0 Helpfuls
  • 920 Views
3 REPLIES 3

johnlbevan
Kilo Contributor

‎02-10-2017 05:20 AM

Hey Maddy,



I believe SN's security model is such that if you have access to the web services, you have access to everything; i.e. ACLs are ignored.


REST API - ServiceNow Wiki



That said, there seems to be something called Contextual Security, which seems to improve things where SOAP access is concerned: http://wiki.servicenow.com/index.php?title=Inbound_SOAP_Web_Service_Security#Web_Service_User_Roles&...



I'm struggling to fully understand the documentation though, so am about to ask a related question here... but hopefully the above will be of some help to you?



Good luck!



JB


0 Helpfuls

johnlbevan
Kilo Contributor
In response to johnlbevan

‎02-10-2017 05:41 AM

Update: Question logged: Permissions when using SN's Web Services


0 Helpfuls

josh_nerius
ServiceNow Employee
ServiceNow Employee

‎02-10-2017 10:01 AM

Hi Maddy,



When working with Scripted SOAP, the scripts you write execute "as system". This is similar to the behavior you might see in a Business Rule, where the code you write may be able to take actions on records that the user doesn't have direct access to.



When writing Scripted Web Services, there are a few things you can do to ensure ACLs are enforced:



1. Use GlideRecordSecure when writing queries that return data


2. Use GlideRecord's canRead(), canWrite() and similar methods to check a user's access before returning the data



One question: are you doing additional processing in your Scripted SOAP service that cannot be achieved with the default SOAP/REST services provided by the platform? If you can avoid building a Scripted SOAP service, this would be preferable.


0 Helpfuls