Allowing updates to incidents through an API - update made as a passed in user
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 06:51 AM
We have a team in our company that is writing an app that will integrate with ServiceNow allowing users in their system to create and update incidents. They have asked us to allow them access to an API to do this work, but after discussion we don't want to let them use the Table API because there isn't validation. Our expectation is that there would be the same validation as our Platform UI on any updates coming through the API. Another requirement that we have is that the update must be done by an ITIL user (not the API user) - meaning that the updated by and activity stream entries must all show up as done by the ITIL user that the pass along in the X-On-Behalf-Of header.
How can I update an incident as the user that is passed in the header rather than as the API user?
I've tried GlideImpersonate() - and this would be perfect except for the race condition where one update comes in while another update is currently processing and fails ACLs because the API user is currently impersonating.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 06:54 AM
that's not how API integration works.
You should not use OOTB Table API as it will expose all fields on that table to 3rd party team.
You create an API user, give them the credentials, and then use scripted REST API.
Ask them to use POST method and include user id of itil user
That API will then be consumed and in scripted REST API you can try to impersonate that User they have passed in JSON request.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 07:01 AM
Ankur,
You are correct, we are implementing this as a Scripted REST API - but impersonate will not work because of the race situation I mentioned. we are trying to figure out another method for making the update to the Incident. The other team is fine with an async reply - so we could do the validations and then pass the update to another executable to actually perform the update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2025 07:18 AM
are you having a dedicated itil user which should be seen as Updated by when API is consumed?
yes that race condition will have issues.
You can manually update sys_updated_by field with that itil user
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2025 09:01 AM
@Ankur Bawiskar
No there is not a dedicated ITIL user - the 'doing work as' user is being passed into the scripted rest api in an HTTP header. The user that is making the update will be different for every call.
