Hi Mithun,
Yes it does, When you setup ACL's you don't have to provide the rest_service role and it guarantees that access is only provided to scripted REST API and the user cannot access other web services.
Here is a sample ACL
You should tag the new_rest_role to a group or user and the Rest_Endpoint ACL in your REST API. This ensures that users with new_rest_role only have access to the specific API.
Thanks
Please Hit like, Helpful or Correct depending on the impact of the response
Hi Mithun,
By default the soap or rest_service roles give the user control over all tables that have web services enabled or read ACL access. You can prevent access by ACL's but it is a bad approach. Most times the external systems only query the URL provided by us(web service import sets) and they do not bother accessing other tables but yes it is a security concern.
If you are very specific about access to other tables, then you should go for Scripted Rest API's and it provides a good feature of default ACL in it. You can define a specific role who can send inbound requests to Service Now and this should help you out.
Thanks
Please Hit like, Helpful or Correct depending on the impact of the response
