IBM Security Verify

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

Hi Piyush,

In webseal, you can have the security policy to access different URL objects by assigning ACL, POP and authorization rules based on user, group or ip address based restriction. You can find more details here:

https://www.ibm.com/docs/en/sva/10.0.7?topic=policy-definition-application-security

Thanks

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

These endpoints are behind the ISVA Appliance, not Webseal.
Is there a way to control ACL there you mean?

Hi Piyush,

In webseal, you can have the security policy to access different URL objects by assigning ACL, POP and authorization rules based on user, group or ip address based restriction. You can find more details here:

https://www.ibm.com/docs/en/sva/10.0.7?topic=policy-definition-application-security

Thanks

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

The endpoint you mentioned in your first post shows reverse proxy is deployed. Webseal/Reverse proxy are same component on ISVA appliance. You can create ACL which defines which groups are allowed to access and attach it to specific URL. 
Recommend to create ACL and attach to those endpoints.

These endpoints are behind the ISVA Appliance, not Webseal.
Is there a way to control ACL there you mean?

Hi Piyush,

In webseal, you can have the security policy to access different URL objects by assigning ACL, POP and authorization rules based on user, group or ip address based restriction. You can find more details here:

https://www.ibm.com/docs/en/sva/10.0.7?topic=policy-definition-application-security

Thanks

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

These endpoints are behind the ISVA Appliance, not Webseal.

The endpoint you mentioned in your first post shows reverse proxy is deployed. Webseal/Reverse proxy are same component on ISVA appliance. You can create ACL which defines which groups are allowed to access and attach it to specific URL. 
Recommend to create ACL and attach to those endpoints.

These endpoints are behind the ISVA Appliance, not Webseal.
Is there a way to control ACL there you mean?

Hi Piyush,

In webseal, you can have the security policy to access different URL objects by assigning ACL, POP and authorization rules based on user, group or ip address based restriction. You can find more details here:

https://www.ibm.com/docs/en/sva/10.0.7?topic=policy-definition-application-security

Thanks

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

Hi,

So it seems you want to protect the access to the management interface of the appliance? At first I thought, like other commentators, that you wanted to protect a service which is deployed behind the appliance.

You can configure these limitations under "System -> Account Management". We only use the "Global Administrator" Role with LDAP Users, but you can definitely configure more fine-grained access. More than one time we had the problem that after an upgrade the new features were not automatically added to our Role so there were some menus we were simply not seeing.

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

We have already looked into that, it's not at all fine grained when it comes to the built in API:s.
I take it what we're asking for aint possible

Hi,

So it seems you want to protect the access to the management interface of the appliance? At first I thought, like other commentators, that you wanted to protect a service which is deployed behind the appliance.

You can configure these limitations under "System -> Account Management". We only use the "Global Administrator" Role with LDAP Users, but you can definitely configure more fine-grained access. More than one time we had the problem that after an upgrade the new features were not automatically added to our Role so there were some menus we were simply not seeing.

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!

You can probably put the management interface behind a WebSEAL junction. That way you can filter the URLs with DynURL.

It will probably be a bit of work to find out which URLs to allow and which to block.

We have already looked into that, it's not at all fine grained when it comes to the built in API:s.
I take it what we're asking for aint possible

Hi,

So it seems you want to protect the access to the management interface of the appliance? At first I thought, like other commentators, that you wanted to protect a service which is deployed behind the appliance.

You can configure these limitations under "System -> Account Management". We only use the "Global Administrator" Role with LDAP Users, but you can definitely configure more fine-grained access. More than one time we had the problem that after an upgrade the new features were not automatically added to our Role so there were some menus we were simply not seeing.

Hello IBM Community,

Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:

• /net/general
• /net/dns
• /wga/reverseproxy
• /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
• /wga/reverseproxy/<reverse_proxy_id>/junctions
• /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
• /wga/widgets/health.json

For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html

Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.

Thank you in advance for your valuable input!