Administrators can now enforce more secure and granular authentication controls across all non-public REST APIs using Global REST API Access Policies. This feature is a critical addition for organizations looking to tighten security and comply with enterprise-grade security mandates. Let’s dive into what this feature offers and explore its practical use cases. This feature is available from Vancouver and higher releases.
Overview
The Global REST API Access Policy enables administrators to define allowed authentication methods and enforce IP restrictions for all incoming non-public REST API requests from external clients. By centralizing authentication control, administrators can reduce the risk of unauthorized access and ensure consistency in security policies across APIs.
This feature is particularly beneficial in scenarios where you want to:
- Enforce IP restrictions across all REST APIs.
- Specify allowable authentication methods, such as OAuth or certificate-based authentication, while disallowing less secure methods like basic authentication.
Defining Authentication Methods
With Global REST API Access Policies, admins can configure allowed authentication profiles for all REST APIs. For example:
- If a global API access policy permits only OAuth and certificate-based authentication, other authentication methods like basic authentication will be disallowed by default.
This ensures that only secure and approved methods of authentication are utilized for accessing sensitive API endpoints.
Policy Override for Specific APIs
One of the standout features of Global REST API Access Policies is the ability to override the global policy for specific REST APIs. This flexibility is invaluable in scenarios where exceptions are necessary due to external constraints. Example Use Case:
- Your organization has a strict security mandate to disallow basic authentication globally.
- However, a third-party client requires basic authentication for a specific REST endpoint due to their system limitations.
In such cases, you can:
- Define a Global REST API Access Policy that permits only OAuth, certificate-based authentication, and ID tokens.
- Create an overriding API access policy for the specific REST endpoint, allowing basic authentication in addition to the globally permitted profiles (OAuth, certificate-based authentication, and ID tokens).
This multi-layer policy system ensures security compliance while accommodating edge cases.
Understanding API access policy prioritization is essential to effectively managing policy overrides and ensuring clarity in policy enforcement. For detailed information on how policies are applied and prioritized, refer to the product documentation on API access policy prioritization.
Global REST API Access Policy and Mobile App Access
The Global REST API Access Policy feature offers administrators powerful tools to enforce security across all REST APIs while maintaining the flexibility to accommodate exceptions. This policy also applies to mobile apps.
Issue
When a global API access policy with IP restrictions is enabled, mobile app users cannot access the instance from outside the trusted network.
Release
These solutions have been tested on an instance with the Xanadu patch, but they should also be compatible with the Washington release.
Resolution
Option 1: Use the trusted mobile app filter criteria in the authentication policy enforcing IP restrictions for the Global API Access Policy.
- Set this property value as true: glide.authenticate.preauth.allow.trusted.device.
- Update the policy condition of the Authentication policy associated with existing authentication profiles to allow access when the API is accessed from a trusted network or from a trusted mobile app.
- In this case, users will be required to register their mobile app as trusted. Please refer to this product doc for more details.
Option 2: Allow mobile app access from any network without requiring app registration. Apart from all the existing authentication profiles that are associated with the Global API access policy and are enforcing IP restrictions for allowed authentication methods, you have to add additional OAuth authentication profiles for mobile app OAuth entities:
- Create a new authentication profile with Type as OAuth.
- Select ServiceNow Request as the OAuth entity.
- Do not associate the authentication policy that is enforcing IP restrictions with this authentication profile.
- Similarly, to allow the ServiceNow Agent app to access the instance without requiring a trusted mobile app or trusted network, create another OAuth authentication profile with ServiceNow Agent as the OAuth entity.
- Associate both of these authentication profiles to the Global API access policy.
After adding these two authentication profiles, the ServiceNow Request and ServiceNow Agent mobile apps will be able to access the instance without being connected to the trusted network.
Note: Certain third-party clients require the Basic authentication method as the first Authorization header when multiple authentication methods are permitted. To ensure compliance, kindly ensure that the Auth Profile with type Basic is the most recent record when sorting the records by the Updated column.
Conclusion
The Global REST API Access Policy feature offers administrators powerful tools to enforce security across all REST APIs while maintaining the flexibility to accommodate exceptions. By leveraging this feature, organizations can achieve a robust security posture that balances stringent controls with operational flexibility.
