Restrict User to REST Endpoint

Drew24
Tera Expert

‎05-11-2020 08:10 AM

Is there a way to restrict a user to one REST endpoint?

i.e. an integration user account has itil role, but can only hit one scripted rest api endpoint

ACLs don't appear to be useable for this, because the first ACL that passes will provide access to other endpoints.

First page properties and login installation exits are focused on the initial entry into the system, so subsequent requests could go unchecked.

 

 

 

0 Helpfuls
  • 1,432 Views
5 REPLIES 5

Patrick DeCarl1
ServiceNow Employee
ServiceNow Employee

‎05-11-2020 09:39 AM

ACL should work. Not sure what you mean by the first ACL that passes will provide access. 

0 Helpfuls

Drew24
Tera Expert
In response to Patrick DeCarl1

‎05-11-2020 10:23 AM

From docs:

Whenever a session requests data, the system searches for access control rules that match the requested object and operation. If there is a matching access control rule, then the system evaluates if the user has the permissions required to access the object and operation. If an access control rule specifies more than one permission, then the user must meet all permissions to gain access to the object and operation. Failing any one permission check prevents the user from accessing the matching object and operation.

If a user does not meet the permissions of the first matching rule, the system evaluates the permissions of the next matching access control rule as specified by the access control processing order. If the user fails to meet the permissions of any matching access control rule, the system denies access to the requested object and operation.
Note: If there are no matching access control rules for the requested object and operation, then the system grants the user access to it. In practice, it is rare for the system to find no matching rules because the system has a set of default access control rules that protect all record operations.
0 Helpfuls

Patrick DeCarl1
ServiceNow Employee
ServiceNow Employee
In response to Drew24

‎05-12-2020 06:14 AM

I just did a test, created a new role and updated a rest api acl to only allow that role, made sure that role had access to read the data its calling, I went to try and make another call to a different api and I got nothing back. 

0 Helpfuls

Drew24
Tera Expert
In response to Patrick DeCarl1

‎05-12-2020 06:50 AM

The scenario I am trying to figure out is if he has two roles:

roleA - access to an OTB table that I don't want him to be able to hit with OTB Table Rest

roleB - access to scripted rest endpoint via execute ACL /api/scope/v1/foo/bar

Within the scripted rest endpoint code, I need to be able to pull some data from the table that I will deliver  to him.

But having given him roleA, he can now go to /now/table/{tableName}

Would like to lock him down to ONLY be able to execute the scripted rest endpoint.

Thanks very much for your responses

 

 

0 Helpfuls