Can we use "REST API access policies" to restrict all API calls by default, then craft specific exceptions?

Go to solution
mholmes
Tera Expert

‎07-28-2021 03:12 PM

I've recently learned about the new "REST API Access policy" feature.

This, in conjunction with its prerequisite, Adaptive Authentication, is supposed to allow a greater degree of control over which users can access the platform from which IP addresses.

I've been experimenting with this in my personal developer instance.

I have been able to successfully design a rule like: "By default, users can only log in interactively from a specific IP range, unless they have a special role that allows them to log in from a different IP range."

I want to design a rule like: "By default, users can only make API calls from a specific IP range, unless they have a special role that allows them to make specific API calls from a different IP range."

This seems like a reasonable thing to do, but...as far as I can tell, the only way to do this would be to craft a REST API Access Policy [sys_api_access_policy] for every possible permutation of API, Resource, HTTP Method, and version.

find_real_file.png

 

 

This strikes me as extremely impractical (especially since new APIs may be created over time), so I am assuming that I'm wrong and that there is another way to do this.

Has anyone had any experience using these policies to restrict API access by default and then craft specific exceptions? Or have any other tips to share regarding this functionality?

Labels:
Preview file
16 KB
Preview file
16 KB
0 Helpfuls
  • 6,204 Views
1 ACCEPTED SOLUTION

Go to solution
Daniel Draes
ServiceNow Employee
ServiceNow Employee

‎08-16-2021 01:33 AM

Hi @mholmes 

you are correct that as of this date/release you will need to craft one policy per API permutation. Not practical but the way this feature is currently working. I had a customer on the phone some time back asking exactly the same question.

I believe this idea here could be what you are looking for, feel encouraged to upvote it 😄

Creating one REST API Access Policy to control all REST APIs

 

 

View solution in original post

13 REPLIES 13

Go to solution
Daniel Draes
ServiceNow Employee
ServiceNow Employee

‎08-16-2021 01:33 AM

Hi @mholmes 

you are correct that as of this date/release you will need to craft one policy per API permutation. Not practical but the way this feature is currently working. I had a customer on the phone some time back asking exactly the same question.

I believe this idea here could be what you are looking for, feel encouraged to upvote it 😄

Creating one REST API Access Policy to control all REST APIs

 

 

Go to solution
mholmes
Tera Expert
In response to Daniel Draes

‎08-16-2021 11:44 AM

That is disappointing, but I appreciate the clarity. Thanks!

0 Helpfuls

Go to solution
roy_walton
Mega Guru
In response to Daniel Draes

‎12-29-2022 10:46 AM

@Daniel Draes Thanks for this. We are looking to do the same thing as the OP. Any update on this functionality? Also, I'm unable to find the "Creating one REST API..." community post that you linked to. Was it archived? Any chance you can share the content somehow?

0 Helpfuls

Go to solution
Daniel Draes
ServiceNow Employee
ServiceNow Employee
In response to roy_walton

‎12-29-2022 11:31 PM

Our Idea portal has moved to our support system. The idea is still there but flagged as 'unlikely to implement': View Idea Page - Now Support (servicenow.com)

Feel free to raise another one referring to the original idea.

0 Helpfuls