The problem statement

ServicesNow has a security flaw in its design with the “User Criterias”. These are used to filter out content on the portals, but do not restrict the user from accessing these content!

This is easily proven by using, when logged in as a regular user, a simple URL on the table API of a forbidden article or service catalog. The forbidden item details will be fully available to the end user:

URL example: https://mytenant.service-now.com/api/now/table/kb_knowledge

Using such URLs would request the user to login and then returns ALL available articles, regardless of the configured User Criterias.

Open

In short: The User criteria are not evaluated when using the ServiceNow table APIs.

Our solution

Impersonate API Service is a Konverso application that may be used for accessing ServiceNow APIs. It uses a service account and restricts content to the provided user. This mechanism is implemented using impersonation on the endpoints.

Note that this app is not published on the ServiceNow store. They restrict apps that include usage of impersonation. Contact us to get an Update Set, and you will have full visibility on the code and the ACL that allow only very specific service accounts to use it.

To start using the application and its features:

1. Install the application in your ServiceNow environment.

2. Make sure your service account has proper roles.

3. Switch usage of native ServiceNow REST endpoints to Impersonate API Service ones for your requests.