We have a requirement to disable AD accounts through a ServiceNow catalog that will consume Saviynt API to disable user's AD account. I am trying to restrict the access for ServiceNow to consume only the /ECM/api/v5/updateUser API instead of opening up all the APIs.
I have a created a user, svc_test_api_scope, with a custom SAV role - ROLE_SNOW_API. The only Web Service access attached to this SAV role is webservice_api_v5_updateUser.
I have set a temp password and reset it once while trying to login to Saviynt app via the UI. However, when I use the permanent password, I get an access denied page.
Likewise, when I use the service user in postman and make an API call to /ECM/api/v5/updateUser, I am getting a 403 forbidden error msg.
How do I validate the configurations required to scope down the Saviynt APIs that consumers can consume?
It just started to work after 2 days without adding any additional feature or web service access to the SAV role. In other words, without granting any additional permissions, API calls from Postman are now working for the test user with the limited access SAV role.
It is not clear why it did not work on Friday but started to work after the weekend.