ACL on table API and Cart API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 05:01 AM
HI Team,
I need only set of users (with 'x' custom role) to be able to access TABLE API for all tables except incident and event table for 'post,put,patch' methods.
I know there is a ootb ACL which is inactive , it can be activated a 'x' role can be added to it but it affects all tables. How do I remove incident and event table ? I am stuck in adding condition to not to apply to incident and event table in the below ACL.
or is there any other way ?
Also I need 'Cart api' to be access only by set of user ('y' custom role), how to achieve this ?
Uses of activating OOB 'Table API' ACL. - Support and Troubleshooting - Now Support Portal

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 05:11 AM
Hi,
Switch to using the newer REST API Access Policies as they allow you to control granular access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 06:46 AM
for all tables except incident and event? which other tables are you talking about?
You will have to ensure you have table level UPDATE, CREATE correct ACL so that only users to whom you want to give access create the records via Table API
What's your requirement around cart API?
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 11:06 PM
In article I have given , there is OOTB acl for table API but thats for all tables which are going to use table API.
So incident and event also uses table API, when I do some customization on that ACL , its should not impact incident and event when someone uses table api to create records in incident and event.
Coming to cart api, only specific role users should be able to access cart api.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 11:20 PM
since it's an OOB ACL I won't recommend updating that.
If you update then it will impact other tables as well since the OOB ACL might be used by other tables as well
Cart API is an OOB API. I don't think you can restrict that
1 thing you can do is validate using before insert BR on REQ AND RITM table and see if REQ and RITM is getting submitted by correct role user if it comes from API
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader