How can I restrict HR table access to one table during a REST call?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 07:30 AM - edited 03-19-2025 07:30 AM
I've setup an Endpoint for a GET of specific records from the sn_hr_core_case_talent_management table.
The service account that should have that access should ONLY have that access, but right now it seems like it's all or nothing.
I started with giving it Role: sn_hr_core.case_reader
Which works but also gives it access to all the HR tables.
I tried creating a custom (scoped) Role, and gave it its own Read ACL. Could not read.
I then tried adding that service account to a record I put in the appropriate COE. No change.
Am I missing something here or would I have to start modifying the OOTB HR Script Includes that the existing ACLs are using (which is obviously not ideal).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 08:09 AM
Hello @Shane J
Obviously modifying ACLs are fine. But you have you tried setting up error messages based on the data they are trying to query ?
Like they should be giving input by request body, query parameter kr path parameter - do you can definitely check which table it is querying and set an error message to it.
Like this you are obstructing it to show response which is quite easier. Please let me know if you tried this way.
Kindly mark my answer as helpful and accept solution if it helped you in anyway. This will help me be recognized for the efforts and also move this questions from unsolved to solved bucket.
Regards,
Shivalika
My LinkedIn - https://www.linkedin.com/in/shivalika-gupta-540346194
My youtube - https://youtube.com/playlist?list=PLsHuNzTdkE5Cn4PyS7HdV0Vg8JsfdgQlA&si=0WynLcOw
NeEISQCY
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 11:08 AM
I'm not sure what to provide in response.
My test user can hit the endpoint regardless - I have the script setup to give a response that says there's no records if the query doesn't exist. That's the response they get now if they don't have case_reader.
As soon as I give them case_reader, the endpoint returns a list of records, but if they know anything about how the API works they can just go to: /api/now/table/<hr tablename> and get back everything.
So I know it's an ACL issue, I'm just not sure the best approach to being more surgical with the access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 12:41 PM
Instead of customizing ACL's, have you considered using COE Security Policies? Create a read policy on the general case (sn_hr_core_case) and have all your HR groups (or have all other groups roll to a parent for easier maintenance) except the group to which the service account belongs. Create another read policy for sn_hr_core_case_talent_management and include a group to which your service account belongs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 12:57 PM
I created a new Group, put the service account under it, and added it to an already existing COE that should have provided Read to the table but it didn't have any effect when attempting to hit the table via API.
