Having difficulty configuring Adaptive Authentication policies

Frank47
Tera Contributor

Hi All!

 

We are considering moving from IP Address Restrictions to Adaptive Authentication for all the obvious reasons. But I am having some trouble getting it to do exactly what I want.

 

The scenario I am shooting for is as follows:

 

Pre-authentication:

Everyone can login to the instance from any IP (with appropriate credentials ofcourse). ✔️

 

Post-authentication:

Users located within a (set of) IP ranges are allowed ✔️

OR

Registered mobile devices are allowed to access the mobile app from anywhere ✔️

OR

Users with a certain role are allowed to login from anywhere✔️ (eg. for inbound REST API's)

 

This all works.

 

I would like to create a default deny on all inbound REST API's except for the users with the before mentioned role. At this moment It seems anyone with a valid account can access the REST API's. (eg. table API) .

 

this document:

https://docs.servicenow.com/bundle/tokyo-platform-security/page/integrate/authentication/task/config...

mentions a global blocking policy for API's but I can only find a global blocking policy under authentication policies -> all policies, not a specific one for API. 

 

What am I missing here?

 

Regards,

Frank

7 REPLIES 7

Randheer Singh
ServiceNow Employee
ServiceNow Employee

You can use the REST API Access Policy feature to deny access to REST API based on IP, role, group criteria, and authentication methods. This feature is available at the individual API levels as of the Tokyo release.

From the Utah release onwards, there would be an option to define a global REST API access policy that will apply to all REST APIs.

Thanks for the reply!

 

Yes, while REST API access policies are an option, it would imply that we would need to make a policy for every individual API, and have something in place to check whether any new API's are created, either by someone in my company or a Servicenow update and create access policies accordingly.

 

A global policy would be very welcome. I am a bit confused/worried because a similar "user voice" suggestion was marked a not likely to implement.  

Hi @Frank47 ,
I am a product manager in the ServiceNow platform security group. You can check the global REST API access policy feature through the Utah release RTP program.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0717787
Thanks,

Randheer

Randheer Singh
ServiceNow Employee
ServiceNow Employee

Hi @Frank47 ,
You can refer to this product documentation for the global REST API access policy feature.

RandheerSingh_0-1676601051112.png

Thanks,

Randheer