Roles / ACLs
Squid Roles
Squid defines four roles
x_a46gh_squidx.adminx_a46gh_squidx.readx_a46gh_squidx.restx_a46gh_squidx.defaultAccess
admin
admin authorizes members to edit custom configurations where any customer specific
configuration must be defined.
admin allows read access to predefined configurations.
admin does not implicitly allow access to the API endpoint.
read
read authorizes members to read, but not edit, all configurations.
We suggest using the documentation you are reading right now when selecting the appropriate configurations and relations for your use case. Customer specific configurations however might have to be viewed in your ServiceNow instance or your own documentation if you create one.
read does not implicitly allow access to the API endpoint.
rest
rest allows access to the API endpoint.
rest does not implicitly allow read access to configurations.
rest is intended for technical service accounts.
defaultAccess
defaultAccess is set as configuration role for all predefined
configurations. (API access to a configuration is only granted if the user has at least one of the roles set on a
configuration. See configuration role for details.)
defaultAccess is set as default value as configuration role for any new custom configurations you might create.
defaultAccess is intended for technical service accounts.
defaultAccess has no further function other than to restrict API access to configurations.
Where's the benefit if this is set for every configuration?
Long story, short: You can take it away.
Assume you have a calling system that you only want to grant access to one specific configuration. Let's call this
technical user Technical-from-Accounting.
Technical-from-Accounting must have the role rest in order to access Squid at all.
Now if none of the other predefined configurations have any access restrictions set, this Technical-from-Accounting
user could access all configurations. Not good, because Technical-from-Accounting might be 'technical', but still
is accounting and shouldn't see everything.
The only way of preventing Technical-from-Accounting from accessing configurations is to add a required role to each
and every configuration Technical-from-Accounting shouldn't have access to.
Now we thought that would be ... inefficient? and we therefore added defaultAccess to all predefined configurations,
so you don't have to.
Just a reminder: Editing a predefined configuration is not possible. Recreate the configuration you want to edit with the exact same name and make changes on your copy.