• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 8 replies
  • Subscribers 93 subscribers
  • Views 3135 views
  • Users 0 members are here
Options
Related

Limit access to the API

henrik a johansson
over 4 years ago

Hey.

I want to limit the access to the API by having one service account (system user) only executing one set of scripts and Another service account executing Another set of script. Neither service account should be able to execute the other set of scripts.

I've created two new program functions and two permission groups and assigned my two users to different permission Groups.

If I try to do this internally (logged in to the AppServer and executing the script) and externally (from ServiceNow), they both get "You are not allowed to use that feature."

Please help!

Henrik

Parents
  • 0 over 4 years ago

    I'm gonna try asking this question a third time:

    Is there a way to limit the access to the API?

    @mekindad

  • +1 over 4 years ago in reply to henrik a johansson

    Markus's solution works....

    • I created 2 x Scripts (CCC_TestScript_A and CCC_TestScript_B) both with a single public function:

    Public Function CCC_TestScriptA () As String
	Return "This is CCC_TestScriptA"
End Function

    • I created 2 x Groups (CCC_TestAPIGroup_A and CCC_TestAPIGroup_B)
    • I added the 2 Groups to the Common_StartScripts program function
    • I created 2 x Program Functions (CCC_TestFunction_A and CCC_TestFunction_B)
    • I added each associated Group to it's Program Function (i.e. CCC_TestAPI_Group_A => CCC_TestFunction_A)
    • I added each associated Script to it's Program Function (i.e. CCC_TestScript_A => CCC_TestFunction_A)
    • I created 2 x system users (cccAPIUserA and cccAPIUserB)
    • I added each user to it's associated group (i.e. cccAPIUserA => CCC_TestAPI_Group_A)

    Then I ran this PowerShell to validate the security:

    $authdata = @{AuthString="Module=DialogUser;User=cccAPIUserA;Password=******"}
$authJson = ConvertTo-Json $authdata -Depth 2

Invoke-RestMethod -Uri "https://******/AppServer/auth/apphost" -Body $authJson.ToString() -Method Post -UseDefaultCredentials -Headers @{Accept="application/json"} -SessionVariable wsession

$body = @{} | ConvertTo-Json

$result = (Invoke-RestMethod -Uri "https://******/AppServer/api/script/CCC_TestScriptA" -WebSession $wsession -Method Put -Body $body -ContentType application/json).result
Write-Host $result.ToString()
Clear-Variable result

$result = (Invoke-RestMethod -Uri "https://******/AppServer/api/script/CCC_TestScriptB" -WebSession $wsession -Method Put -Body $body -ContentType application/json).result
Write-Host $result.ToString()
Clear-Variable result

$result = (Invoke-RestMethod -Uri "https://******/AppServer/api/script/QER_GetWebBaseURL" -WebSession $wsession -Method Put -Body $body -ContentType application/json).result
Write-Host $result.ToString()
Clear-Variable result

Invoke-RestMethod -Uri "https://******/AppServer/auth/logout" -WebSession $wsession -Method Post

    I correctly received:

    1. This is CCC_TestScriptA
    2. Invoke-RestMethod : {"responseStatus":{"message":"You are not authorized to run this method."},"errorString":"You are not authorized to run this method.","exceptions":[{"number":810323,"message":"You are not authorized to run this method."}]}
    3. Invoke-RestMethod : {"responseStatus":{"message":"You are not authorized to run this method."},"errorString":"You are not authorized to run this method.","exceptions":[{"number":810323,"message":"You are not authorized to run this method."}]}

    Showing that it doesn't have access to every script function (e.g. QER_GetWebBaseURL) but only the one assigned to it through the group (i.e. CCC_TestScriptA)

  • 0 over 4 years ago in reply to Ben

    Thanks for taking the time for this, Ben!

Reply Children
No Data