ServiceNow Permissions Reference
This page outlines all ServiceNow roles, API scopes, and access configurations used by SailPoint Entro during integration. SailPoint Entro operates strictly in read-only mode - the integration is limited to discovery and metadata retrieval through the ServiceNow REST APIs. No modification or deletion occurs.
Note
SailPoint Entro operates in read-only mode. All API operations are restricted to retrieval (GET) only.
Integration Roles
SailPoint Entro requires a dedicated Integration User in ServiceNow with the following roles:
-
itil -
snc_read_only -
personalize_dictionary- optional (allows access to scan custom tables)
These roles grant read access to incidents, requests, problems, and CMDB records while maintaining least-privilege access.
API Auth Scopes
Each Auth Scope must:
-
Be explicitly assigned to its respective REST API
-
Have Apply auth scope to all HTTP methods unchecked
-
Be linked to the same Authentication Profile created during onboarding
| REST API | Auth Scope | Purpose |
|---|---|---|
| Table API | entro-auth-scope |
Read-only access to tickets, articles, and configuration records |
| Attachment API | entro-auth-scope |
Read-only access to attachments and file content |
Ensure the auth scopes are linked to the Authentication Profile created during onboarding.
API Access Policies
SailPoint Entro communicates with the ServiceNow instance through API Access Policies that enforce inbound authentication and scope restrictions. Each API (Table and Attachment) must be associated with:
-
The Inbound Authentication Profile created during onboarding
-
The corresponding
entro-auth-scope
Ensure Apply to all methods is unchecked for both APIs to restrict operations to GET (read-only).
REST API Key Configuration
All API Access Tokens must be generated from: System Web Services → API Access Policies → REST API Key
Configuration requirements:
-
Assign to the Integration User created during onboarding
-
Link to the
entro-auth-scope -
Copy and store the token securely immediately after creation — ServiceNow does not allow retrieval later
SailPoint Entro Access Summary
-
Access Mode: Read-only
-
APIs Used: Table API, Attachment API
-
Authentication: API Access Token (Bearer)
-
Data Retrieved: Tickets, Knowledge Base, Attachments, and Configuration Records
-
Scope Enforcement:
entro-auth-scope(Table + Attachment APIs) -
Integration Validation: Automatic verification during connection; displays Verified on success
Note
Integration is automatically validated during connection. On success, the integration displays "Verified".
Compliance and Security Notes
-
SailPoint Entro uses scoped API tokens tied to a specific ServiceNow instance and integration user.
-
No ServiceNow credentials or tokens are ever exposed outside SailPoint Entro's vault.
-
All traffic between SailPoint Entro and ServiceNow occurs over HTTPS/TLS 1.2+.
-
API activity is logged in both ServiceNow and SailPoint Entro audit logs for traceability.
-
Integration configuration follows least-privilege principles and SOC 2 Type II and ISO 27001 standards.