Page History
If you configure the connector to use User Criteria security (for Catalog Items or Knowledge Articles), the corresponding ACLs of Knowledge Articles would be the Can Read, Cannot Read, Can Contribute user criteria (sys_id), for . For Catalog Items would be Available For and No Available For.
Once the content is crawlcrawled, we need to configure a ServiceNow REST API endpoint to retrieve all the criteria that is available to a specific user. This will be use during query time in Elastic Search, for the login userservice would be used when a logged-in user is searching indexed content, using the email or the sys_id of the user, the list of available user criteria will filter the indexed content on Elasticsearch.
Security
The Role
To create a new specific Role for the new service, write “Role” on the Filter Navigator to the left and select the “Users and Groups -> ⇾ Roles” option. Then click on the “New” button.
Give the role a name (“UCRole” is recommended) and click the “Submit” button.
The ACL
The default ACL for the Scripted REST API is “Scripted REST External Default”. By default, any user with access to the ServiceNow instance will be able to execute exposed services.
To create a new specific ACL for the new service, write “ACL” on the filter navigator to the left and select the “System Security-> Security⇾ Access Control (ACL)” option.
If there is no “New” button on screen, you might need to elevate permissions: from the user dropdown, select “Elevate Roles”.
Be sure to have “security_admin” checked and click “OK”.
Now click on the “New” button.
Select “REST_Endpoint” for the “Type” field and give it a name (“UCACL” is recommended)
Scroll down to “Requires Role” and add the “UCRole” we previously created, then click the “Submit” button.
The User
To create a new specific User for the new service, write “Users” on the Filter Navigator to the left and select the “Users and Groups -> ⇾ Users” option. Then click on the “New” button.
Select a “User Id” and “Password” for the user and check the “Web service access only” option, so the user won’t have UI access, then click the “Submit” button.
Back on in the “Users” section, select the user you just created, scroll down to the bottom, select the “Roles” tab and click “Edit”.
Add both, the role we created previously and the “impersonator” role, then click the “Update” button.
Scripted REST API
The Scripted REST API option
Write "Scripted “Scripted REST APIs" APIs” in the Filter Navigator and select the Scripted REST APIs option.
New Scripted REST API
Press "New" “New” to create a new record.
Create the Scripted REST API
Write a name for the service. "Aspire UC" “Aspire UC” is recommended. The “API ID” field will be generated automatically. Click on "Submit" “Submit” to create the service.
Select the Scripted REST API
Search for the service in the “Scripted REST APIs” page and click on it.
Resources
New Resource
Scroll to the bottom and click "New" “New” to create a new Resource.
Resource Fields
Write a name for the Resource (“getById” is recommended). Make sure that “HTTP method” is set to “GET” and the relative path reflects the specified name.
The script could use the user's email:
| Code Block |
|---|
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { // implement resource here var queryParams = request.queryParams; var userEmail = queryParams.userEmail; // Obtain the user system Id corresponding to the user Id var userId = gs.getUser().getUserByEmail(userEmail).getName(); var adminUser = gs.getSession().getUserName().toString(); var impersonateSuccess = gs.getSession().impersonate(userId); if (impersonateSuccess){ // Retrieve all user criteria var allCriterias = SNC.UserCriteriaLoader.getAllUserCriteria(); response.setBody(allCriterias); } gs.getSession().impersonate(adminUser); response. |
...
setContentType('application/json');
response.setStatus(200);
})(request, response); |
Or the user's sys_id:
| Code Block |
|---|
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
// implement resource here
var queryParams = request.queryParams;
var userId = queryParams.userId;
var adminUser = gs.getSession().getUserName().toString();
var impersonateSuccess = gs.getSession().impersonate(userId);
if (impersonateSuccess){
// Retrieve all user criteria for the impersonated user
var allCriterias = SNC.UserCriteriaLoader.getAllUserCriteria();
response.setBody(allCriterias);
}
gs.getSession().impersonate(adminUser);
response.setContentType('application/json');
response.setStatus(200);
})(request, response); |
...
Resource Code
Paste the provided code below the “// Implement resource here” comment and click submit.
Resource ACLs
Scroll down to the “Security” tab and click on the “Unlock ACLs” button. Remove any default ACLs present and add the ACL we created on the “Security” section of this document. Also make sure the “Requires authentication” and “Requires authorization” fields are checked, then click on the “Update” button.
Query Parameters
...
Scroll to the bottom of the page. The new resource should now be created. Click on the “Query Parameters” tab.
New Query Parameter
On the "Query Parameters" “Query Parameters” tab, click on the “New” button.
Create the Query Parameter
Specify the “Query parameter name” (“userId” is recommended) and click the submit button.
Final Steps
Update the Scripted REST API
Click the “Update” button on the top of the page.
Test your service
...
You can now use the created user and an http HTTP client directed to
[SERVER]/api/acal/[ SERVICE_ID]/[ENDPOINT]?[PARAMETER]=[PARAMETER_VALUE] to retrieve the User Criteria data.
As an example, if your served server is named “testServer” and you used the recommended names, you can use the httpclient HTTP client directed to
https://testServer. service-now.com/api/acal/aspire_uc/getById?userId=my.user to retrieve User Criteria for “my.user”;
...
The service output looks like this:
If the service is run with a user without permissions, the output should look like this:
Done!
Your service is now ready to be used. If names other than apart from the recommended ones were are used, they must be provided for the correct configuration of the system.
...
Overview
Content Tools