How to enforce strict REST API security - Support and Troubleshooting

How to enforce strict REST API security Issue Whilst it is possible to lock down the REST API user ACLs to selectively access a table, but not others, there are out of the box ACLs that were intended for this purpose that are not well know because they are not enabled by default. See info below.

Release All

Cause This is useful to know in a context where security should be enforced so only what is permitted should be granted.

Resolution This is an extract from the relevant docs

REST API ACLs https://docs.servicenow.com/csh?topicname=c_RESTAPI.html&version=latest

REST API security By default, ServiceNow REST APIs use basic authentication or OAuth to authorize user access to REST APIs/endpoints. You can also configure your instance to use multi-factor authentication to access REST APIs. There is no support for inbound mutual authentication.

The user ID that you specify in a REST endpoint call is subject to access control in the same way as an interactive user. Each request requires the proper authentication information, such as user name and password. Ensure that each endpoint request includes an Authorization header with sufficient credentials to access the endpoint.

ServiceNow REST APIs also support cookies that enable binding to the existing session.

REST API roles In addition to user authentication, each REST endpoint can have different requirements for the roles required to access the endpoint. Some require the admin role and others require API specific roles. Role requirements are specified in the access control list (ACL) associated with the REST API/endpoint. For specifics on the valid roles for each REST API/endpoint, refer to the REST API reference or locate the associated ACL for the API/endpoint within an instance through Security System > Access Control (ACL).

REST API ACLs REST API ACLs define criteria, such as the roles needed and conditions that a user must meet to access a ServiceNow REST API or endpoint. A single ACL may be defined for an entire REST API, such as the Table API and Attachment API ACLs, or for an individual endpoint, such as the Table API and Attachment API ACLs that only applies to MetricBase PUT methods.

The following ServiceNow REST API ACLs are available in the base system but are deactivated by default. All other ServiceNow REST API ACLs are active by default.

Table API Aggregate API Import Set API Attachment API