mid_server role needs to inherit snc_platform_rest_api_access - Known Error

mid_server role needs to inherit snc_platform_rest_api_access Description If MID Server login users don't have the snc_platform_rest_api_access role, REST APIs used by the mid server may not work due to REST level status 403 Not Authorized errors

Causing symptoms including: /api/mid/v2/glideRecord/ecc_agent_script_include errors, preventing MID Server Script Include sync, causing errors in various features including Discovery Patterns, JavascriptProbe integrations, Event Management connectors, etc. /api/sn_kmf/v1/signature/validation_configuration errors, causing problems for MID Server Upgrades

Steps to Reproduce

Generic MID Server Script Include example, using JSUtil, which is called from lots of Discovery patterns:

In a Washington instance, that has a MID Sevrer set up Enable the "Table API" ACL MID Server -> Scripts - Background run: ms.log(JSUtil.nil("hello"));

Expected behaviour: *** MID Script Include RGR attempt for name=JSUtil HTTP GET to https:// .service-now.com/api/mid/v2/glideRecord/ecc_agent_script_include completed HTTP GET to https:// .service-now.com/api/mid/v2/glideRecord/ecc_agent_script_include returned status 200 HTTP GET to /api/mid/v2/glideRecord/ecc_agent_script_include returned status 200 signature validation PASSED for ecc_agent_script_include 1d5557480a0a0b84026940e176f072e9 when considering the following fields: script *** Script: false

Actual behaviour: MID Script Include cache miss for name=JSUtil *** MID Script Include RGR attempt for name=JSUtil HTTP GET to https:// .service-now.com/api/mid/v2/glideRecord/ecc_agent_script_include completed HTTP GET to https:// .service-now.com/api/mid/v2/glideRecord/ecc_agent_script_include returned status 403 HTTP GET to /api/mid/v2/glideRecord/ecc_agent_script_include returned status 403 GET to /api/mid/v2/glideRecord/ecc_agent_script_include generated an HTTP 403: java.io.IOException: GET to /api/mid/v2/glideRecord/ecc_agent_script_include generated an HTTP 403: com.service_now.mid.rest.gliderecord.SignedMapRepository.bail(SignedMapRepository.java:68) com.service_now.mid.rest.gliderecord.SignedMapRepository.find(SignedMapRepository.java:62) com.service_now.mid.rest.gliderecord.SignedGlideRecord.query(SignedGlideRecord.java:221) com.service_now.mid.script.MIDScriptIncludes.getScriptFromDB(MIDScriptIncludes.java:173) com.service_now.mid.script.MIDScriptIncludes.getScript(MIDScriptIncludes.java:114) com.service_now.mid.script.MIDScriptIncludes.getScriptInclude(MIDScriptIncludes.java:91) com.service_now.mid.script.MIDScriptIncludes.include(MIDScriptIncludes.java:230) com.service_now.mid.script.MIDRhinoScope.handleScriptInclude(MIDRhinoScope.java:135) com.service_now.mid.script.MIDRhinoScope.get(MIDRhinoScope.java:69) org.mozilla.javascript.ScriptableObject.getProperty(ScriptableObject.java:2283) org.mozilla.javascript.ScriptRuntime.topScopeName(ScriptRuntime.java:2104) org.mozilla.javascript.ScriptRuntime.name(ScriptRuntime.java:1999) org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1820) org.mozilla.javascript.Interpreter.interpret(Interpreter.java:1030) org.mozilla.javascript.InterpretedFunction.lambda$call$0(InterpretedFunction.java:161) com.service_now.mid.script.MIDScriptContext$ScriptCaller.call(MIDScriptContext.java:25) org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:160) org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:725) org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:4024) org.mozilla.javascript.InterpretedFunction.exec(InterpretedFunction.java:173) com.service_now.mid.script.MIDScript.executeCompiledScript(MIDScript.java:320) com.service_now.mid.script.MIDScript.evaluate(MIDScript.java:176) com.service_now.mid.queue_worker.SystemCommand.handleScript(SystemCommand.java:673) com.service_now.mid.queue_worker.SystemCommand.handleCommandLegacy(SystemCommand.java:216) com.service_now.mid.queue_worker.SystemCommand.probe(SystemCommand.java:130) com.service_now.mid.probe.AProbe.process(AProbe.java:155) com.service_now.mid.queue_worker.AWorker.runWorker(AWorker.java:140) com.service_now.mid.queue_worker.AWorkerThread.run(AWorkerThread.java:20) com.service_now.mid.threadpool.ResourceUserQueue$RunnableProxy.run(ResourceUserQueue.java:643) java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) java.base/java.lang.Thread.run(Thread.java:833)

Unable to retrieve MID Script Include 'JSUtil' from the instance. Retry attempt 1 ... Unable to retrieve MID Script Include 'JSUtil' from the instance. Aborted. Dispatching event: 'GenericScalarMetricEvent' to 34 registered listeners Completed dispatching event: 'GenericScalarMetricEvent' *** MID Script Include RGR non-existent for name=JSUtil Dispatching event: 'GenericCounterMetricEvent' to 34 registered listeners Completed dispatching event: 'GenericCounterMetricEvent' MID Script Include 'JSUtil' does not exist. Marking it to prevent future queries. com.service_now.mid.script.MIDEcmaError: "JSUtil" is not defined. ad_hoc:null : Line(1) column(0) ==> 1: ms.log(JSUtil.nil("hello")); Output: null

Also often seen for IntegrationHub IPaasActionProbe:

Unable to retrieve MID Script Include 'JSON' from the instance.

Workaround Your " Table API " ACL will need to allow the MID Server user access. Either:

Modify the ACL, adding mid_server user to the ACL Modify the user, adding the snc_platform_rest_api_access role If a modified, or a custom copy of the ACL was created, then it may still be blocking the MID Server's requests even if the user has the snc_platform_rest_api_access role. You will need to work out how best to modify it to allow the MID Server access.

Another potentially problematic ACL is " Scripted REST External Default " ACL, which requires snc_internal role , and not snc_external role. This may have also been customised to require additional roles including snc_platform_rest_api_access. /sys_security_acl.do?sys_id=cf9d01d3e73003009d6247e603f6a990 This is involved in the MID Server's requests for KMF information via /sn_kmf/v1/signature/validation_configuration which would prevent the MID Server upgrading.