How to allow restricted data access through REST API for Incident tickets

JC S_
Mega Guru

‎10-14-2017 10:10 AM

We are planning to provide REST API access to a limited set of incident tickets - for example, allow access only to tickets assigned to a group. How should we set this up because currently, we provided the account of our partner with web_service_admin and itil roles and they can pull data and push updates to any tickets in the incident table - which is definitely not what we want. It should be that they can only get data for tickets assigned to a specific group and push updates for those tickets as well.

Labels:
0 Helpfuls
  • 2,147 Views
5 REPLIES 5

DilipKumar DJ
Kilo Guru

‎10-14-2017 11:32 AM

Hi Jimboy,



You can try creating an ACL with condition related to specific group and restricting role of web_service_admin.


0 Helpfuls

JC S_
Mega Guru
In response to DilipKumar DJ

‎10-14-2017 11:36 AM

Hi Dilip,



1) How can we setup that ACL that can restrict access to tickets assigned to a group?


2) Should we modify the role of web_service_admin (kind of hesitant to do this since this is OOTB and we want to minimize impact on future upgrades of the system) or should we create a new role based on the web_service_admin role but with restrictions as required?


0 Helpfuls

Dave Smith1
ServiceNow Employee
ServiceNow Employee
In response to JC S_

‎10-15-2017 01:06 PM 

Jimboy Sioson wrote:


Hi Dilip,


1) How can we setup that ACL that can restrict access to tickets assigned to a group?

Sounds like you need read ACLs on incident.fields with a condition where tickets belong to a specific assignment group.   The ACL(s) should permit access to those fields only, and the condition disallow tickets belonging to another group.


2) Should we modify the role of web_service_admin (kind of hesitant to do this since this is OOTB and we want to minimize impact on future upgrades of the system) or should we create a new role based on the web_service_admin role but with restrictions as required?

Latter.   In fact, ignore web_service_admin role - create another role with the permissions granted then add this to the account used for access, so that both roles are needed: one that permits access through REST API, the other that permits a peek at the right data.


0 Helpfuls

amit88
Tera Contributor

‎10-15-2017 11:19 AM

Hi Jimboy,



You can achieve this by passing the sysid of desired group in "sysparm_query". So, only that group records will be retrieved while accessing the REST API.find_real_file.png


Preview file
14 KB
0 Helpfuls