How can I restrict HR table access to one table during a REST call?

Shane J
Tera Guru

I've setup an Endpoint for a GET of specific records from the sn_hr_core_case_talent_management table.

 

The service account that should have that access should ONLY have that access, but right now it seems like it's all or nothing.

 

I started with giving it Role:  sn_hr_core.case_reader

Which works but also gives it access to all the HR tables.

 

I tried creating a custom (scoped) Role, and gave it its own Read ACL.  Could not read.

I then tried adding that service account to a record I put in the appropriate COE.  No change.

 

Am I missing something here or would I have to start modifying the OOTB HR Script Includes that the existing ACLs are using (which is obviously not ideal).

6 REPLIES 6

Shivalika
Mega Sage

Hello @Shane J 

 

Obviously modifying ACLs are fine. But you have you tried setting up error messages based on the data they are trying to query ? 

 

Like they should be giving input by request body, query parameter kr path parameter - do you can definitely check which table it is querying and set an error message to it. 

 

Like this you are obstructing it to show response which is quite easier. Please let me know if you tried this way. 

 

Kindly mark my answer as helpful and accept solution if it helped you in anyway. This will help me be recognized for the efforts and also move this questions from unsolved to solved bucket. 

 

Regards,

 

Shivalika 

 

My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194

 

My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOw

NeEISQCY

I'm not sure what to provide in response. 

 

My test user can hit the endpoint regardless - I have the script setup to give a response that says there's no records if the query doesn't exist.  That's the response they get now if they don't have case_reader.

As soon as I give them case_reader, the endpoint returns a list of records, but if they know anything about how the API works they can just go to: /api/now/table/<hr tablename> and get back everything.

 

So I know it's an ACL issue, I'm just not sure the best approach to being more surgical with the access.

 

Dennis Ford
Giga Guru

Instead of customizing ACL's, have you considered using COE Security Policies? Create a read policy on the general case (sn_hr_core_case) and have all your HR groups (or have all other groups roll to a parent for easier maintenance) except the group to which the service account belongs.  Create another read policy for sn_hr_core_case_talent_management and include a group to which your service account belongs.

I created a new Group, put the service account under it, and added it to an already existing COE that should have provided Read to the table but it didn't have any effect when attempting to hit the table via API.