I'm working with non-ServiceNow developers to use the inbound Rest API interface to interact with our instance. They will we creating incidents, changes, requests, etc to automate processes.
The desire (I think this is the safest approach) would be to setup a service account for each of these processes, or a group of processes, and then give that service account only the access needed to do what it's been defined to do. For instance, use the Service Catalog API to order a specific item.
The issue I have is that because these developers also have the ITIL role they have access to do whatever that role has access to. So they could use the same API to order something and not be forced through the service account. This is at least how I understand it works. If you have access to do something through the browser interface then you would have the same access to use the Rest API's.
How would one restrict the use of REST API's to only those system and processes where we have defined the interface but restrict everyone else from using the Rest interface? Is there a reason why I wouldn't or couldn't do this?
Sorry if this has already been answered. I've searched the community and can't seem to find an answer to this specific scenario.
Thanks Experts!
David
