top of page

Setting Up REST API Access Policies in ServiceNow: A Guide for Ensuring Only Chuck's Incidents Get Through

So, you’ve decided to take the plunge and secure your ServiceNow instance, ensuring only the creator of an incident, let’s call him or her Chuck with username streyda_chuck, can access own precious data via the REST API. Well, buckle up, because we’re about to embark on an adventure filled with OAuth, scripts, and Postman. But don’t worry, I’ll be your guide. Let’s get started!

Prerequisites:

  1. A ServiceNow instance (the magical kingdom).

  2. Postman (your trusty tool).

  3. Admin access to ServiceNow (your magic wand).


Step 1: Creating an OAuth Application Registry in ServiceNow

First, we need to create an OAuth application in ServiceNow. Think of it as giving Postman a VIP pass to our instance.

  1. Log into your ServiceNow instance as an admin.

  2. Navigate to System OAuth > Application Registry.

  3. Click New to create a new OAuth application.

  4. Select Create an OAuth API endpoint for external clients.

Configure the OAuth Application:

  • Name: Postman OAuth Incidents (because why not?)

  • Client ID: Leave it blank to auto-generate (we love surprises).

  • Client Secret: Click the lock icon to generate one (no peeking!).

  • Redirect URL: https://oauth.pstmn.io/v1/callback

Save the record and note down the Client ID and Client Secret (your keys to the kingdom).


Step 2: Assigning Roles to the OAuth Application

Now, let’s give our VIP some roles so it can do something useful.

  1. Navigate to System OAuth > Application Registry and open the OAuth application you created.

  2. Scroll down to the Application Roles related list and click on New.

  3. Add the necessary roles, such as rest_api_explorer (we’re feeling generous).


Step 3: Creating a REST API Access Policy

This is where the real magic happens. We’re going to create a policy to ensure only streyda_chuck's incidents see the light of day.

  1. Navigate to System Web Services > REST API Access Policies.

  2. Click New to create a new access policy.

Configure the Access Policy:

  • Name: Restrict Incident API Access (because we’re serious about this).

  • Active: True (duh).

  • API: Table API (we’re not playing around).

  • Operation: GET

  • Resource: /api/now/table/incident

Conditions:

  • Roles: Specify any roles required for accessing the API.

  • Script: Use a custom script to restrict access to incidents created by streyda_chuck.

Example Script:


(function process(request, response) {
 var currentUser = gs.getUser().getName();
    if (currentUser !== 'streyda_chuck') {
        response.setStatus(403);
        response.setBody({error: 'Access denied'});
        return;
    }
    var tableName = 'incident';
    var gr = new GlideRecord(tableName);
    gr.addQuery('sys_created_by', currentUser);
    gr.query();

    var result = [];
    while (gr.next()) {
        result.push(gr.getDisplayValue());
    }

    response.setStatus(200);
    response.setBody(result);

})(request, response);

Step 4: Getting an OAuth Token Using Postman

Now it’s time to suit up Postman with our OAuth token. Let’s get that VIP pass validated.

  1. Open Postman and create a new request.

  2. Go to the Authorization tab.

  3. Select OAuth 2.0 as the type.

  4. Click on Get New Access Token.


Configure the Token Settings:

  • Token Name: ServiceNow Incident Token (or something snazzy).

  • Grant Type: Authorization Code

  • Callback URL: https://oauth.pstmn.io/v1/callback

  • Auth URL: https://<instance_name>.service-now.com/oauth_auth.do

  • Access Token URL: https://<instance_name>.service-now.com/oauth_token.do

  • Client ID: (Your ServiceNow OAuth application Client ID)

  • Client Secret: (Your ServiceNow OAuth application Client Secret)

  • Scope: Leave this blank

  • State: A unique identifier to maintain the state between the request and callback

Click on Request Token, authorize the application, and obtain the token.


Step 5: Using the OAuth Token in Postman Requests

Finally, let’s use that shiny new token to fetch some data.

  1. In the Authorization tab of your Postman request, select OAuth 2.0 and ensure your token is selected.

  2. Set the request type to GET.

  3. Use the following URL format: plaintext Copy code https://<instance_name>.service-now.com/api/now/table/incident

  4. Add necessary headers, including the authorization header with your OAuth token.


Example Postman Configuration for Testing

  1. Configure OAuth 2.0 Authorization in Postman:

  • Open Postman and create a new request.

  • Go to the Authorization tab.

  • Select OAuth 2.0 as the type.

  • Click on Get New Access Token.

  1. Fill in the Token Settings:

  • Token Name: ServiceNow Incident Token

  • Grant Type: Authorization Code

  • Callback URL: https://oauth.pstmn.io/v1/callback

  • Auth URL: https://<instance_name>.service-now.com/oauth_auth.do

  • Access Token URL: https://<instance_name>.service-now.com/oauth_token.do

  • Client ID: (Your ServiceNow OAuth application Client ID)

  • Client Secret: (Your ServiceNow OAuth application Client Secret)

  • Scope: Leave this blank

  • State: A unique identifier to maintain the state between the request and callback

  1. Use the Token in API Requests:

  • In the Authorization tab of your Postman request, select OAuth 2.0 and ensure your token is selected.

  • Set the request type to GET.

  • Use the following URL https://<instance_name>.service-now.com/api/now/table/incident


Summary

Congratulations! You’ve successfully set up REST API access policies in ServiceNow, ensuring only streyda_chuck’s incidents are accessible via the API. This setup ensures secure access, letting you sleep easy knowing your data is safe and sound. If you run into any issues, don’t hesitate to reach out for help. Happy coding!

Comments


bottom of page