The Zurich release has arrived! Interested in new features and functionalities? Click here for more

A user with soap role has access to all the tables. How to restrict that user to only one table? is it possible with REST?

Go to solution
pkmithun
Kilo Contributor

‎03-14-2017 12:50 AM

A user with soap role has access to all the tables. How to restrict that user to only one table? is it possible with REST? - with ACL user access can be restricted to one table. however, user may have access to other tables.

Labels:
0 Helpfuls
  • 6,085 Views
1 ACCEPTED SOLUTION

Go to solution
Alikutty A
Tera Sage
In response to pkmithun

‎03-15-2017 12:46 AM

Hi Mithun,



Yes it does, When you setup ACL's you don't have to provide the rest_service role and it guarantees that access is only provided to scripted REST API and the user cannot access other web services.



Here is a sample ACL



rest_api.jpg



You should tag the new_rest_role to a group or user and the Rest_Endpoint ACL in your REST API. This ensures that users with new_rest_role only have access to the specific API.



Thanks


Please Hit like, Helpful or Correct depending on the impact of the response


View solution in original post

Preview file
57 KB
11 REPLIES 11

Go to solution
Rushit Patel2
Tera Guru

‎03-14-2017 03:21 AM

can you please explain little more..what you are trying to do here.


0 Helpfuls

Go to solution
pkmithun
Kilo Contributor

‎03-14-2017 04:40 AM

for eg - I have a scripted web service created which is to update RITM table. A user credential is created for authentication with soap role. But with this credential all the other tables are accessible through web services by just changing the table names in the URL. Is there any way to prevent this?


0 Helpfuls

Go to solution
Alikutty A
Tera Sage

‎03-14-2017 04:47 AM

Hi Mithun,



By default the soap or rest_service roles give the user control over all tables that have web services enabled or read ACL access. You can prevent access by ACL's but it is a bad approach. Most times the external systems only query the URL provided by us(web service import sets) and they do not bother accessing other tables but yes it is a security concern.



If you are very specific about access to other tables, then you should go for Scripted Rest API's and it provides a good feature of default ACL in it. You can define a specific role who can send inbound requests to Service Now and this should help you out.



scripted.jpg



Thanks


Please Hit like, Helpful or Correct depending on the impact of the response


Preview file
55 KB

Go to solution
pkmithun
Kilo Contributor
In response to Alikutty A

‎03-14-2017 11:41 PM

Thanks Ali!



But does this restrict access to other web services. What I understood is this restricts access only to this web service.


0 Helpfuls