Skip to content

ServiceNow Permissions Reference

This page outlines all ServiceNow roles, API scopes, and access configurations used by SailPoint Entro during integration. SailPoint Entro operates strictly in read-only mode - the integration is limited to discovery and metadata retrieval through the ServiceNow REST APIs. No modification or deletion occurs.

Note

SailPoint Entro operates in read-only mode. All API operations are restricted to retrieval (GET) only.


Integration Roles

SailPoint Entro requires a dedicated Integration User in ServiceNow with the following roles:

  • itil

  • snc_read_only

  • personalize_dictionary - optional (allows access to scan custom tables)

These roles grant read access to incidents, requests, problems, and CMDB records while maintaining least-privilege access.


API Auth Scopes

Each Auth Scope must:

  • Be explicitly assigned to its respective REST API

  • Have Apply auth scope to all HTTP methods unchecked

  • Be linked to the same Authentication Profile created during onboarding

REST API Auth Scope Purpose
Table API entro-auth-scope Read-only access to tickets, articles, and configuration records
Attachment API entro-auth-scope Read-only access to attachments and file content

Ensure the auth scopes are linked to the Authentication Profile created during onboarding.


API Access Policies

SailPoint Entro communicates with the ServiceNow instance through API Access Policies that enforce inbound authentication and scope restrictions. Each API (Table and Attachment) must be associated with:

  • The Inbound Authentication Profile created during onboarding

  • The corresponding entro-auth-scope

Ensure Apply to all methods is unchecked for both APIs to restrict operations to GET (read-only).


REST API Key Configuration

All API Access Tokens must be generated from: System Web Services → API Access Policies → REST API Key

Configuration requirements:

  • Assign to the Integration User created during onboarding

  • Link to the entro-auth-scope

  • Copy and store the token securely immediately after creation — ServiceNow does not allow retrieval later


SailPoint Entro Access Summary

  • Access Mode: Read-only

  • APIs Used: Table API, Attachment API

  • Authentication: API Access Token (Bearer)

  • Data Retrieved: Tickets, Knowledge Base, Attachments, and Configuration Records

  • Scope Enforcement: entro-auth-scope (Table + Attachment APIs)

  • Integration Validation: Automatic verification during connection; displays Verified on success

Note

Integration is automatically validated during connection. On success, the integration displays "Verified".


Compliance and Security Notes

  • SailPoint Entro uses scoped API tokens tied to a specific ServiceNow instance and integration user.

  • No ServiceNow credentials or tokens are ever exposed outside SailPoint Entro's vault.

  • All traffic between SailPoint Entro and ServiceNow occurs over HTTPS/TLS 1.2+.

  • API activity is logged in both ServiceNow and SailPoint Entro audit logs for traceability.

  • Integration configuration follows least-privilege principles and SOC 2 Type II and ISO 27001 standards.