Does user with "rest_service" role have access to all tables in service now? Can they create and records to each of the tables?

Go to solution
quiksilver
Mega Guru

‎05-21-2019 05:44 PM

We were planning to provide rest api to customers so they can create / and read tickets for their company but was worried if they would have access to other service now tables? 

If yes, Is there a setting I can used to turn this off? or Do I have to create ACL for each table to prevent access? 

0 Helpfuls
  • 8,577 Views
1 ACCEPTED SOLUTION

Go to solution
Alikutty A
Tera Sage
In response to quiksilver

‎05-22-2019 02:38 AM

Explicit roles plugin is a different concept and is primarily used with CSM for separating internal and external customers of Service Now. You will need to undertand its purpose and see if it is really required for your instance. Once it is activate all users in the sys_user table will be added with the snc_internal role and all ACLs without a role will be added with the snc_internal role.

Please have a look at its documentation 

https://docs.servicenow.com/bundle/madrid-platform-administration/page/administer/contextual-securit...

View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
Alikutty A
Tera Sage

‎05-21-2019 05:50 PM

Hello,

rest_service role was used in the previous releases for granting access and no longer used. We do not require any roles to access the REST API's. The only thing required is a valid user id and password. As long as you pass the table level ACLs. a user id can access the table data. There are also certain additional security that can be enforced upon the REST like the default ACLs in scripted REST APIs or ACLs at API level.

Thanks!

0 Helpfuls

Go to solution
quiksilver
Mega Guru

‎05-21-2019 06:17 PM

Thanks for your reply Ali, 

 

So if Want to secure my other table, do i need to created scripted rest? and not use table api ? 

 

But if I give a username password to customer, they can still access other tables right? Is there any way to stop this ?

0 Helpfuls

Go to solution
Alikutty A
Tera Sage
In response to quiksilver

‎05-21-2019 06:38 PM

Yes they can access tables as long as the ACLs allow them to do it. They could even access the data from UI as the ACLs wont prevent them from doing so, so why restricting on a web service level? If you need to restrict then you should do it at both places. I do not think it can be stopped as basic authentication is required for access and this is a part of its design

 

0 Helpfuls

Go to solution
quiksilver
Mega Guru

‎05-21-2019 07:58 PM

Hi Ali,

 

are you familiar with this ? 

 

https://docs.servicenow.com/bundle/london-application-development/page/integrate/inbound-rest/concep...

 

will this help my issue if I use this ? or no need ? 

 

quik

0 Helpfuls