Can we use "REST API access policies" to restrict all API calls by default, then craft specific exceptions?

Go to solution
mholmes
Tera Expert

‎07-28-2021 03:12 PM

I've recently learned about the new "REST API Access policy" feature.

This, in conjunction with its prerequisite, Adaptive Authentication, is supposed to allow a greater degree of control over which users can access the platform from which IP addresses.

I've been experimenting with this in my personal developer instance.

I have been able to successfully design a rule like: "By default, users can only log in interactively from a specific IP range, unless they have a special role that allows them to log in from a different IP range."

I want to design a rule like: "By default, users can only make API calls from a specific IP range, unless they have a special role that allows them to make specific API calls from a different IP range."

This seems like a reasonable thing to do, but...as far as I can tell, the only way to do this would be to craft a REST API Access Policy [sys_api_access_policy] for every possible permutation of API, Resource, HTTP Method, and version.

find_real_file.png

 

 

This strikes me as extremely impractical (especially since new APIs may be created over time), so I am assuming that I'm wrong and that there is another way to do this.

Has anyone had any experience using these policies to restrict API access by default and then craft specific exceptions? Or have any other tips to share regarding this functionality?

Labels:
Preview file
16 KB
Preview file
16 KB
0 Helpfuls
  • 6,207 Views
1 ACCEPTED SOLUTION

Go to solution
Daniel Draes
ServiceNow Employee
ServiceNow Employee

‎08-16-2021 01:33 AM

Hi @mholmes 

you are correct that as of this date/release you will need to craft one policy per API permutation. Not practical but the way this feature is currently working. I had a customer on the phone some time back asking exactly the same question.

I believe this idea here could be what you are looking for, feel encouraged to upvote it 😄

Creating one REST API Access Policy to control all REST APIs

 

 

View solution in original post

13 REPLIES 13

Go to solution
James Fricker
Tera Guru

‎11-21-2022 04:31 PM

What about non-REST APIs? Like &XML or &JSONv2 or SOAP or RSS? Any way to restrict those as well?

0 Helpfuls

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to James Fricker

‎01-05-2023 11:22 AM

Hi @James Fricker ,
The ability to specify API access policy for SOAP, JSONv2, RSS and export processors is coming as part of the Utah release.

Thanks,

Randheer

0 Helpfuls

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎01-05-2023 11:21 AM

Hi @mholmes @Daniel Draes ,
Thanks for sharing the feedback. The ability to configure a global REST API access policy is coming as part of the Utah release. 
Thanks,

Randheer

0 Helpfuls

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎02-16-2023 06:28 PM

Hi @Daniel Draes @mholmes 
The global REST API Access policy option is getting released as part of the Utah release.

 

RandheerSingh_2-1676600884614.png

 

 

Please refer to this product documentation. 

 

Thanks,

Randheer

 

0 Helpfuls

Go to solution
James Fricker
Tera Guru
In response to Randheer Singh

‎02-16-2023 06:45 PM

What about SOAP, JSONv2, RSS, export processors etc?

0 Helpfuls