How to allow restricted data access through REST API for Incident tickets

JC S_
Mega Guru

‎10-14-2017 10:10 AM

We are planning to provide REST API access to a limited set of incident tickets - for example, allow access only to tickets assigned to a group. How should we set this up because currently, we provided the account of our partner with web_service_admin and itil roles and they can pull data and push updates to any tickets in the incident table - which is definitely not what we want. It should be that they can only get data for tickets assigned to a specific group and push updates for those tickets as well.

Labels:
0 Helpfuls
  • 2,149 Views
5 REPLIES 5

Dave Smith1
ServiceNow Employee
ServiceNow Employee
In response to amit88

‎10-16-2017 02:00 AM 

You can achieve this by passing the sysid of desired group in "sysparm_query". So, only that group records will be retrieved while accessing the REST API.

.. and leave it open to an exploit if you're using that as the only filter technique.



At the very least, information disclosure possibilities could be violating organisational security policies, whether yours or your customers.


0 Helpfuls