Loading...
Loading...
In Cloud User Portal UI, user is not able to view/list a stack that belong to different user group. User only able to view/list stacks provisioned by her/himself + other users in the same user group. However, if you are using REST API to perform operation on any stack (for instance: deprovision), if you somehow managed to obtain the StackID and ResourceID of other user group's stack, this is possible. This is bypassing the restriction on the UI.
Install CPG plugin. 2. Create a Cloud Catalog Items and publish it. You should be able to provision a stack afterwards. 3. Create 2 cloud users and assign them to different user groups. 1 is for user that will call the API (e.g. API user), and 1 for user that launch a stack from Cloud User portal (e.g. X user). 4. Create/launch a stack with X user and make sure the stack is created successfully. 5. Note down the StackID and ResourceID of the created stack in step 4. 6. Using any REST API tool (e.g. Postman), submit a deprovision request (api/now/cmp_catalog_api/submitrequest) using API user for the StackID and ResourceID information you obtained above. 7. Expectation: Deprovisioning request should be failed. Currently deprovisioning request is processed successfully and Stack belong to X user is deprovisioned.
This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this article to be notified when more information becomes available. As a workaround, you can implement attached update set (sys_remote_update_set_22d3f6899c874110f8770e1091d5c66d.xml). In this update set, we enhance the logic to check if the user belong to the group that provisioned the stack. If not, REST API will throw an error.
PRB1569098
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.