Restrict API access to block user table when getting change records?

Go to solution
Zack9
Tera Expert

‎10-10-2023 12:56 PM

Hi All,

 

What role or custom role can I give a user who needs to access to change request records via API, and potentially the "assigned to" field from the user table? 

 

 

I'm trying to limit a users access that needs to run API GET commands to get data into an outside web app. My test account has read access to the user table from somewhere.   Right now I have them in 1 system created role (with 3 inherited roles),  rest_api_explorer. Removing this role does not change the access.

 

The other role, change_read_only_ was added to an Access Control that should only have read access to change_request. 

 

 

The role sn_change_read had the same problem with too much access. 

 

Essentially, I'd like to restrict this users access to other tables outside of change_request. Any tips? Thank you!

 

Zack9_0-1696966676653.png

Zack9_2-1696967368936.png

 

 

0 Helpfuls
  • 1,067 Views
1 ACCEPTED SOLUTION

Go to solution
Zack9
Tera Expert

‎10-19-2023 10:00 AM

After the patch last night the access to the user table is gone as I would expect. 
 
Security maintenance notification
Review • October 2023  

We are reaching out to inform you about a recent proactive maintenance action that we took to enhance the security of your noted instances. The update we applied adjusts the configuration of certain existing access control lists (ACLs). 

Here’s what you can expect 

  • To enhance the security of your instance(s), ServiceNow adjusted existing ACLs that did not contain any roles, scripts, and conditions. 
  • As described in KB1553688, in certain circumstances, an ACL that is configured to have empty roles, scripts, and conditions can grant unintended access to the data within the tables associated with the ACL. 
  • For ACLs that we determined do not have any assigned role, script, and condition, the update added a script that is designed to grant access only if a user is logged in.  

View solution in original post

0 Helpfuls
2 REPLIES 2

Go to solution
Tony Chatfield1
Kilo Patron

‎10-10-2023 03:23 PM

Hi, if you require granular visibility or access to a table than OOB roles and ACL's provide, I believe that you will need to create a custom role, add ACL(s) to deliver you required access, and then apply the role to your integration user(s).

0 Helpfuls

Go to solution
Zack9
Tera Expert

‎10-19-2023 10:00 AM

After the patch last night the access to the user table is gone as I would expect. 
 
Security maintenance notification
Review • October 2023  

We are reaching out to inform you about a recent proactive maintenance action that we took to enhance the security of your noted instances. The update we applied adjusts the configuration of certain existing access control lists (ACLs). 

Here’s what you can expect 

  • To enhance the security of your instance(s), ServiceNow adjusted existing ACLs that did not contain any roles, scripts, and conditions. 
  • As described in KB1553688, in certain circumstances, an ACL that is configured to have empty roles, scripts, and conditions can grant unintended access to the data within the tables associated with the ACL. 
  • For ACLs that we determined do not have any assigned role, script, and condition, the update added a script that is designed to grant access only if a user is logged in.  
0 Helpfuls