If securing the Management Interface API with OAuth or Basic Auth, along with fine-grained access control, isn't feasible, then our next best approach would be to consolidate them behind junctions under a WebSeal. This would enable us to leverage ACL and POP with OAuth effectively.
Original Message:
Sent: Fri February 09, 2024 10:56 AM
From: Laurent LA Asselborn
Subject: ISVA Discovery on CMDB
You can probably put the management interface behind a WebSEAL junction. That way you can filter the URLs with DynURL.
It will probably be a bit of work to find out which URLs to allow and which to block.
------------------------------
Laurent LA Asselborn
Original Message:
Sent: Fri February 09, 2024 09:33 AM
From: Jonatan Wålegård
Subject: ISVA Discovery on CMDB
We have already looked into that, it's not at all fine grained when it comes to the built in API:s.
I take it what we're asking for aint possible
------------------------------
Jonatan Wålegård
Original Message:
Sent: Thu February 08, 2024 03:39 AM
From: Laurent LA Asselborn
Subject: ISVA Discovery on CMDB
Hi,
So it seems you want to protect the access to the management interface of the appliance? At first I thought, like other commentators, that you wanted to protect a service which is deployed behind the appliance.
You can configure these limitations under "System -> Account Management". We only use the "Global Administrator" Role with LDAP Users, but you can definitely configure more fine-grained access. More than one time we had the problem that after an upgrade the new features were not automatically added to our Role so there were some menus we were simply not seeing.
------------------------------
Laurent LA Asselborn
Original Message:
Sent: Fri February 02, 2024 08:00 AM
From: Piyush Agrawal
Subject: ISVA Discovery on CMDB
Hello IBM Community,
Hope this message finds you well. We're currently working on integrating ServiceNow with ISVA and need some guidance on best practices for creating a user with restricted access. The goal is to limit the user's access to specific endpoints, namely:
- /net/general
- /net/dns
- /wga/reverseproxy
- /wga/reverseproxy/<reverse_proxy_id>/configuration/stanza/junction/entry_name/match-vhj-first
- /wga/reverseproxy/<reverse_proxy_id>/junctions
- /wga/reverseproxy/<reverse_proxy_id>/junctions?junctions_id=<junction_id>
- /wga/widgets/health.json
For more details have a look at https://docs.servicenow.com/bundle/vancouver-it-operations-management/page/product/service-mapping/reference/ibm_webseal_discovery_patterns.html
Our aim is to ensure that the user has access only to the mentioned endpoints and nothing beyond that. We'd appreciate any insights or best practices you can share regarding creating such restricted access in ServiceNow.
Thank you in advance for your valuable input!
------------------------------
Piyush Agrawal
https://www.linkedin.com/in/piyush-norway/
Gjensidige Norway
------------------------------