API Access Policy - Inbound API Request Overview - Support and Troubleshooting

API Access Policy - Inbound API Request Overview Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } In ServiceNow, Access Control List (ACL) and API Access Policies are both mechanisms for controlling access to the instance resources but operate at different layers and with different scopes.

API Access Policies are evaluated first (at the gateway/authentication layer). ACLs are evaluated after (at the data access layer)

Key Comparison between ACL and API Access Policy

ACL API Access Policy Layer Data/UI layer Integration/API layer Scope Record/field level API endpoint level Controls CRUD on tables/fields API calls, rate limits, IP restrictions Default Mode Deny unless allowed Allow unless restricted Conditions Roles, scripts, user criteria HTTP method, path, IP, auth profile Use Case Role-based data security Integration/API governance Audience ServiceNow users External systems/integrations Configuration Defined in ACL rules Defined in API Access Policy module

Note : In practice, ACL are default deny all . However, in theory, if there are no matching access control rules for the requested object and operation, then the system grants the user access to it. In practice, it is rare for the system to find no matching rules because the system has a set of default access control rules that protect all record operations (R ef: Explore Access Control Lists ).

This is in contrast to API Access Policies , which are by default allow all . When you create a new API Access Policy , it starts with no restrictions, so all authenticated API calls are permitted. To restrict the access to API, you will need to add Authentication Profile with API authentication policies containing conditions with filter criteria including:

IP filter criteria Role filter criteria Group filter criteria Authentication Scheme Until you define these rules, the policy does not block anything.

Facts .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ServiceNow provides Table GET API Access Policy which is not active out of the box. In the following example, we have configured the API access policy for [sys_user] table with Authentication Policy containing filter criteria condition Role=rest_service

We have a created a web service user rest_user with the role snc_platform_rest_api_access.

Note : Table API is ServiceNow REST API ACL which is deactivated by default. If this ACL is enabled, all Table API users need to have snc_platform_rest_api_access role to access the resources.

When the user rest_user tries to make Table API request to [sys_user] table with API URL /api/now/table/sys_user , we get 401 Unauthorized status code in return.

{ "error": { "detail": "Required to provide Auth information", "message": "User Not Authenticated" }, "status": "failure" }

The request is successful once we add the rest_service role to the user, as required by the previously defined Authentication Policy.

Please note that in this example the API Access Policy is only applied to the [sys_user] table. All other Table APIs are unaffected by this policy. You can apply the policy to all tables by selecting Apply to all tables checkbox.

Inbound API Request Authentication / Authorization Flow in ServiceNow

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } KB0813159: How to enforce strict REST API security