If you configure the connector to use User Criteria security (for Catalog Items or Knowledge Articles), the corresponding ACLs of Knowledge Articles would be the Can Read, Cannot Read, Can Contribute user criteria (sys_id), for Catalog Items would be Available For and No Available For.

Once the content is crawl, we need to configure a ServiceNow REST API endpoint to retrieve all the criteria that is available to a specific user. This will be use during query time in Elastic Search, for the login user.

Security

The Role

To create a new specific Role for the new service, write “Role” on the Filter Navigator to the left and select the “Users and Groups -> Roles” option. Then click on the “New” button.

Give the role a name (“UCRole” is recommended) and click the “Submit” button.

The ACL

The default ACL for the Scripted REST API is “Scripted REST External Default”. By default, any user with access to the ServiceNow instance will be able to execute exposed services.

To create a new specific ACL for the new service, write “ACL” on the filter navigator to the left and select the “System Security-> Access Control (ACL)” option.

If there is no “New” button on screen you might need to elevate permissions: from the user dropdown, select “Elevate Roles”.

Be sure to have “security_admin” checked and click “OK”.

Now click on the “New” button.

Select “REST_Endpoint” for the “Type” field and give it a name (“UCACL” is recommended)

Scroll down to “Requires Role” and add the “UCRole” we previously created then click the “Submit” button.

The User

To create a new specific User for the new service, write “Users” on the Filter Navigator to the left and select the “Users and Groups -> Users” option. Then click on the “New” button.

Select a “User Id” and “Password” for the user and check the “Web service access only” option so the user won’t have UI access, then click the “Submit” button.

Back on the “Users” section, select the user you just created, scroll down to the bottom, select the “Roles” tab and click “Edit”.

Add both, the role we created previously and the “impersonator” role, then click the “Update” button.

Scripted REST API

The Scripted REST API option

Write "Scripted REST APIs" in the Filter Navigator and select the Scripted REST APIs option.

New Scripted REST API                   

Press "New" to create a new record.

Create the Scripted REST API

Write a name for the service. "Aspire UC" is recommended. The “API ID” field will be generated automatically. Click on "Submit" to create the service.

Select the Scripted REST API

Search for the service in the “Scripted REST APIs” page and click on it.

Resources

New Resource

Scroll to the bottom and click "New" to create a new Resource.

Resource Fields

Write a name for the Resource (“getById” is recommended). Make sure that “HTTP method” is set to “GET” and the relative path reflects the specified name.

Resource Code

Paste the provided code below the “// Implement resource here” comment and click submit.

Resource ACLs

Scroll down to the “Security” tab and click on the “Unlock ACLs” button. Remove any default ACLs present and add the ACL we created on the “Security” section of this document. Also make sure the “Requires authentication” and “Requires authorization” fields are checked, then click on the “Update” button.

Query Parameters

Query Parameters tab

Scroll to the bottom of the page. The new resource should now be created. Click on the “Query Parameters” tab.

New Query Parameter

On the "Query Parameters" tab, click on the “New” button.

Create the Query Parameter

Specify the “Query parameter name” (“userId” is recommended) and click the submit button.

Final Steps

Update the Scripted REST API

Click the “Update” button on the top of the page.

Test your service

You can now use the created user and an http client directed to

[SERVER]/api/acal/[ SERVICE_ID]/[ENDPOINT]?[PARAMETER]=[PARAMETER_VALUE]

to retrieve the User Criteria data.

As an example, if your served is named “testServer” and you used the recommended names, you can use the httpclient directed to

https://testServer. service-now.com/api/acal/aspire_uc/getById?userId=my.user to retrieve User Criteria for “my.user”;

The service output looks like this:

If the service is run with a user without permissions, the output should look like this:

Done!

Your service is now ready to be used. If names other than the recommended ones were used, they must be provided for the correct configuration of the system.