If you configure the connector to use User Criteria security (for Catalog Items or Knowledge Articles), the corresponding ACLs of Knowledge Articles would be the Can Read, Cannot Read, Can Contribute user criteria (sys_id). For Catalog Items would be Available For and No Available For.
Once the content is crawled, we need to configure a ServiceNow REST API endpoint to retrieve all the criteria that is available to a specific user. This service would be used when a logged-in user is searching indexed content, using the email or the sys_id of the user, the list of available user criteria will filter the indexed content on Elasticsearch.
To create a new specific Role for the new service, write “Role” on the Filter Navigator to the left and select the “Users and Groups ⇾ Roles” option. Then click on the “New” button.
Give the role a name (“UCRole” is recommended) and click the “Submit” button.
The default ACL for the Scripted REST API is “Scripted REST External Default”. By default, any user with access to the ServiceNow instance will be able to execute exposed services.
To create a new specific ACL for the new service, write “ACL” on the filter navigator to the left and select the “System Security⇾ Access Control (ACL)” option.
If there is no “New” button on screen, you might need to elevate permissions: from the user dropdown, select “Elevate Roles”.
Be sure to have “security_admin” checked and click “OK”.
Now click on the “New” button.
Select “REST_Endpoint” for the “Type” field and give it a name (“UCACL” is recommended)
Scroll down to “Requires Role” and add the “UCRole” we previously created, then click the “Submit” button.
To create a new specific User for the new service, write “Users” on the Filter Navigator to the left and select the “Users and Groups ⇾ Users” option. Then click on the “New” button.
Select a “User Id” and “Password” for the user and check the “Web service access only” option, so the user won’t have UI access, then click the “Submit” button.
Back in the “Users” section, select the user you just created, scroll down to the bottom, select the “Roles” tab and click “Edit”.
Add both, the role we created previously and the “impersonator” role, then click the “Update” button.
Write “Scripted REST APIs” in the Filter Navigator and select the Scripted REST APIs option.
Press “New” to create a new record.
Write a name for the service. “Aspire UC” is recommended. The “API ID” field will be generated automatically. Click on “Submit” to create the service.
Search for the service in the “Scripted REST APIs” page and click on it.
Scroll to the bottom and click “New” to create a new Resource.
Write a name for the Resource (“getById” is recommended). Make sure that “HTTP method” is set to “GET” and the relative path reflects the specified name.
The script could use the user's email:
Or the user's sys_id:
Paste the provided code below the “// Implement resource here” comment and click submit.
Scroll down to the “Security” tab and click on the “Unlock ACLs” button. Remove any default ACLs present and add the ACL we created on the “Security” section of this document. Also make sure the “Requires authentication” and “Requires authorization” fields are checked, then click on the “Update” button.
Scroll to the bottom of the page. The new resource should now be created. Click on the “Query Parameters” tab.
On the “Query Parameters” tab, click on the “New” button.
Specify the “Query parameter name” (“userId” is recommended) and click the submit button.
Click the “Update” button on the top of the page.
You can now use the created user and an HTTP client directed to
[SERVER]/api/acal/[ SERVICE_ID]/[ENDPOINT]?[PARAMETER]=[PARAMETER_VALUE] to retrieve the User Criteria data.
As an example, if your server is named “testServer” and you used the recommended names, you can use the HTTP client directed to
https://testServer. service-now.com/api/acal/aspire_uc/getById?userId=my.user to retrieve User Criteria for “my.user”;
The service output looks like this:
If the service is run with a user without permissions, the output should look like this:
Your service is now ready to be used. If names apart from the recommended ones are used, they must be provided for the correct configuration of the system.