The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Exploring Machine Identity Access Control - Part 2

Gaurav Bajaj
Kilo Sage
a month ago

 

Following previous blog on exploring various combination for MIAC, lets see what below combinations will identify.

 

 

2. Read Access to Incident table with ITIL role account.

 

This time, I provided ITIL role to the integration account and tried checking the same. This time it worked as expected and I was able to see the intended result from POSTMAN.

 

GauravBajaj_0-1756069633604.png

 

 

3.  Write Access to Incident table with ITIL use account

 

I took a stab at changing the REST API access policy to POST method only and tried to query incident table in same fashion, which gave me 403 error – user is not authorized.  

This is where Machine identify access control is powerful which allowed me to control that I could only provide read access to the integration user despite it having ITIL access. Therefore, MIAC offers further granular control beyond ACL as well.

GauravBajaj_1-1756069633609.png

 

 

4.  Read Access to Requested Item table with ITIL user account

 

With the same user account, I tried further exploring the tables areas as I tried to query sc_req_item using same integration account from POSTMAN. Without this new feature, I should have got access to Requested Items as well using the same ITIL account.

However, this time since I had only selected Incident in the tables list, I was given error that action is not authorized which is expected from the MIAC.

 

GauravBajaj_2-1756069633615.png

 

 

With all the above combinations, we conclude to 2 major outcomes

 

  • You still need to have user roles provided to your integration account as MIAC is not a replacement for regular ACLs.

  • MIAC supersedes ACL in terms of providing access i.e. First ACLs are validated and then MIAC are validated to ensure access can be provided.

 

MIAC and Access Analyzer

 

I also tried to check if Access analyzer (one of the recently introduced features from last releases) takes MIAC into consideration while analyzing access. It turns out that it does not.

I used the same integration user account and provided table as Requested Item to check if the user has access which the result suggested that it has.

It would be good add-on to see to access anlyzer providing a holistic view in future in conjunction with ACLs, data filteration etc.

 

GauravBajaj_3-1756069633621.png

 

I hope this helps you get acquainted with machine identify access control and be able to use it across yours inbound integration use cases.

 

0 Helpfuls
  • 300 Views
1 Comment
Piyush Dhoke1
Tera Contributor
3 weeks ago
3 weeks ago

Hey Gaurav,

 

Have you tried with any other API like 'Service Catalog API'?.

 

Thanks,

Piyush

0 Helpfuls