We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

How to allow restricted data access through REST API for Incident tickets

JC S_
Mega Guru

‎10-14-2017 10:10 AM

We are planning to provide REST API access to a limited set of incident tickets - for example, allow access only to tickets assigned to a group. How should we set this up because currently, we provided the account of our partner with web_service_admin and itil roles and they can pull data and push updates to any tickets in the incident table - which is definitely not what we want. It should be that they can only get data for tickets assigned to a specific group and push updates for those tickets as well.

Labels:
0 Helpfuls
  • 2,532 Views
5 REPLIES 5

DilipKumar DJ
Kilo Guru

‎10-14-2017 11:32 AM

Hi Jimboy,



You can try creating an ACL with condition related to specific group and restricting role of web_service_admin.


0 Helpfuls

JC S_
Mega Guru
In response to DilipKumar DJ

‎10-14-2017 11:36 AM

Hi Dilip,



1) How can we setup that ACL that can restrict access to tickets assigned to a group?


2) Should we modify the role of web_service_admin (kind of hesitant to do this since this is OOTB and we want to minimize impact on future upgrades of the system) or should we create a new role based on the web_service_admin role but with restrictions as required?


0 Helpfuls

Dave Smith1
ServiceNow Employee
In response to JC S_

‎10-15-2017 01:06 PM 

Jimboy Sioson wrote:


Hi Dilip,


1) How can we setup that ACL that can restrict access to tickets assigned to a group?

Sounds like you need read ACLs on incident.fields with a condition where tickets belong to a specific assignment group.   The ACL(s) should permit access to those fields only, and the condition disallow tickets belonging to another group.


2) Should we modify the role of web_service_admin (kind of hesitant to do this since this is OOTB and we want to minimize impact on future upgrades of the system) or should we create a new role based on the web_service_admin role but with restrictions as required?

Latter.   In fact, ignore web_service_admin role - create another role with the permissions granted then add this to the account used for access, so that both roles are needed: one that permits access through REST API, the other that permits a peek at the right data.


0 Helpfuls

amit88
Tera Contributor

‎10-15-2017 11:19 AM

Hi Jimboy,



You can achieve this by passing the sysid of desired group in "sysparm_query". So, only that group records will be retrieved while accessing the REST API.find_real_file.png


Preview file
14 KB
0 Helpfuls