ServicesNow has a security flaw in its design with the “User Criterias”. These are used to filter out content on the portals, but do not actually restrict the user from accessing these content.
This is easily proven by using a simple URL on the table API of a forbidden article or service catalog. The forbidden item details will be fully available to the end user.
A side effect of this security flaw
Impersonate API Service is application for accessing ServiceNow APIs. It uses a service account and restricts content to the provided user. This mechanism is implemented using impersonation on the endpoints.
To start using the application and its features:
Install the application in your ServiceNow environment.
Make sure your service account has proper roles.
Switch usage of native ServiceNow REST endpoints to Impersonate API Service ones for your requests.