Disclaimer – This article is part of a series exploring the new features and capabilities introduced in the Australia release. Since we’re still in the Early Availability (EA) phase, things may change before General Availability (GA).
Securing your APIs is critical, but applying the right access controls isn’t always straightforward.
Have you ever had a situation where you needed to change the access to a Scripted REST API but the REST API was read-only? And of course, the ACL configured in the Scripted REST Resource was read-only as well or it was a default ACL which is used not only in the API you needed to change.
To solve this, ServiceNow introduced Path-Based REST ACLs in the Australia release. Now, you can apply ACLs directly to an endpoint's resource path, allowing you to secure it without altering the read-only API itself.
What are Path-based REST ACLs?
Path-based REST ACL is a new type of ACL that protects a specific resource path of a REST API endpoint.
Before Australia you could only define REST Endpoint ACLs for a Scripted REST Resource [sys_ws_operation]. Those ACLs still apply. Path-based REST ACLs act as an additional layer of protection. In order to get access you need to pass both.
This is not a replacement but a configuration you can use in case you are not able to change the security settings on the Scripted REST API. Path-based ACLs are evaluated always regardless of the security settings you have configured on the Scripted REST Resource.
How to configure them?
Creating a path-based REST ACL is just like setting up a standard REST Endpoint ACL:
- Set the type to REST_Endpoint.
- Select one of the new operations: http_get, http_post, http_put, http_patch, or http_delete.
- Name the ACL using the exact path of the REST Resource you want to protect.
You don’t need to add the new ACL to your REST Resource. Once created, it applies automatically to the path and shows up on the related list REST Path Based ACLs on your Scripted REST Resource.
A Quick Note on the REST API Explorer
The REST API Explorer includes a handy shortcut to view path-based REST ACLs, though there appears to be a bug in the Early Availability (EA) version.
If you click the menu icon in the top right you find a new entry Resource ACLs.
It takes you to a filtered ACL list for the API you selected.
However, as you can see in the screenshot below, the filter is missing /api from the path, which results in no ACLs being found.
If you change the name and add /api at the beginning, you see that there is a path-based REST ACL.
