A user with soap role has access to all the tables. How to restrict that user to only one table? is it possible with REST?

pkmithun
Kilo Contributor

A user with soap role has access to all the tables. How to restrict that user to only one table? is it possible with REST? - with ACL user access can be restricted to one table. however, user may have access to other tables.

1 ACCEPTED SOLUTION

Hi Mithun,



Yes it does, When you setup ACL's you don't have to provide the rest_service role and it guarantees that access is only provided to scripted REST API and the user cannot access other web services.



Here is a sample ACL



rest_api.jpg



You should tag the new_rest_role to a group or user and the Rest_Endpoint ACL in your REST API. This ensures that users with new_rest_role only have access to the specific API.



Thanks


Please Hit like, Helpful or Correct depending on the impact of the response


View solution in original post

11 REPLIES 11

Rushit Patel2
Tera Guru

can you please explain little more..what you are trying to do here.


pkmithun
Kilo Contributor

for eg - I have a scripted web service created which is to update RITM table. A user credential is created for authentication with soap role. But with this credential all the other tables are accessible through web services by just changing the table names in the URL. Is there any way to prevent this?


Alikutty A
Tera Sage

Hi Mithun,



By default the soap or rest_service roles give the user control over all tables that have web services enabled or read ACL access. You can prevent access by ACL's but it is a bad approach. Most times the external systems only query the URL provided by us(web service import sets) and they do not bother accessing other tables but yes it is a security concern.



If you are very specific about access to other tables, then you should go for Scripted Rest API's and it provides a good feature of default ACL in it. You can define a specific role who can send inbound requests to Service Now and this should help you out.



scripted.jpg



Thanks


Please Hit like, Helpful or Correct depending on the impact of the response


Thanks Ali!



But does this restrict access to other web services. What I understood is this restricts access only to this web service.