- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2017 12:50 AM
A user with soap role has access to all the tables. How to restrict that user to only one table? is it possible with REST? - with ACL user access can be restricted to one table. however, user may have access to other tables.
Solved! Go to Solution.
- Labels:
-
Security Operations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-15-2017 12:46 AM
Hi Mithun,
Yes it does, When you setup ACL's you don't have to provide the rest_service role and it guarantees that access is only provided to scripted REST API and the user cannot access other web services.
Here is a sample ACL
You should tag the new_rest_role to a group or user and the Rest_Endpoint ACL in your REST API. This ensures that users with new_rest_role only have access to the specific API.
Thanks
Please Hit like, Helpful or Correct depending on the impact of the response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2017 03:21 AM
can you please explain little more..what you are trying to do here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2017 04:40 AM
for eg - I have a scripted web service created which is to update RITM table. A user credential is created for authentication with soap role. But with this credential all the other tables are accessible through web services by just changing the table names in the URL. Is there any way to prevent this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2017 04:47 AM
Hi Mithun,
By default the soap or rest_service roles give the user control over all tables that have web services enabled or read ACL access. You can prevent access by ACL's but it is a bad approach. Most times the external systems only query the URL provided by us(web service import sets) and they do not bother accessing other tables but yes it is a security concern.
If you are very specific about access to other tables, then you should go for Scripted Rest API's and it provides a good feature of default ACL in it. You can define a specific role who can send inbound requests to Service Now and this should help you out.
Thanks
Please Hit like, Helpful or Correct depending on the impact of the response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2017 11:41 PM
Thanks Ali!
But does this restrict access to other web services. What I understood is this restricts access only to this web service.