API user record roles for read access to all tables

ritaaudi · ‎02-05-2025

Hi:
I'm looking to setup an API user record in servicenow that can be used by powerBI to query all servicenow tables.

My question is what roles should I give that user record so it only has read access but it can query all tables?
Thank you, Rita

Robbie · ‎02-06-2025

Hi @ritaaudi,

So now we're getting quite specific. This is achievable using parameters in the endpoint.

Eg: https://the_instance_name.service-now.com/api/now/table/incident?sysparm_query=sys_created_on%3Cjavascript%3Ags.beginningOfLast2Years()%5Eassignment_group%3Dd625dccec0a8016700a222a0f7900d06&sysparm_limit=10

Note, due to the potential number of records, I've also added a limit using the syntax "&sysparm_limit=10".

To help others (and for me to gain recognition for my efforts), please mark this response correct by clicking on Accept as Solution and/or Kudos.

  Thanks, Robbie

View solution in original post

Robbie · ‎02-05-2025

Hi @ritaaudi,

This can achieved with a few roles as listed below.

Clarification question, I appreciate you mentioned all tables.... does it have to be all tables, or for example could you control and restrict this initially and build this access?

Example start with the itil role giving access to Incident, Problem Change, Catalog, Groups, Users etc and a large number of 'core' tables?

The reason I state this, for a while now I've wanted an "auditor" type role OOB (Out Of Box and not one configured) which does exactly as you request so as to avoid these questions from auditors, as the only way I've seen this in the past is to combine 2 roles.... the snc_read_only AND the admin role.

I can't stress enough the use of the snc_read_only role here when providing the admin role. In additional, against the user profile, ensure you check (set to true) the 'Web service access only' checkbox to ensure the account can't be used to log in via the UI and it can only be used for API access.

I'd love to know if this has been updated or can be achieved any other way from the community if anyone knows?

The roles to achieve this:

- snc_read_only

- itil (ideally at first and then expand and add more roles as required so as to avoid giving admin)

- snc_platform_rest_api_access

Additionally, set the 'Web service access only' checkbox to true against the user profile to ensure the account can't be used to log in via the UI and it can only be used for API access.

To help others (and for me to gain recognition for my efforts), please mark this response correct by clicking on Accept as Solution and/or Kudos.

  Thanks, Robbie

ritaaudi · ‎02-05-2025

Thank you. This is helpful. What about the end point? How can you pass a query in the end point:

.service-now.com/api/now/table/{tableName}

Robbie · ‎02-06-2025

Hi @ritaaudi,

Correct, the end point for a method call such as GET/POST call is:

https://the_instance_name.service-now.com/api/now/table/{tableName}

Real example: https://the_instance_name.service-now.com/api/now/table/incident

To help others (and for me to gain recognition for my efforts), please mark this response correct by clicking on Accept as Solution and/or Kudos.

  Thanks, Robbie

ritaaudi · ‎02-06-2025

Hi: What if you want to GET data from incident table with a filter like created before 2 years ago and assignment group is xyz. How do you format that in the endpoint url?

Thank you again! Rita

Robbie · ‎02-06-2025

Hi @ritaaudi,

So now we're getting quite specific. This is achievable using parameters in the endpoint.

Eg: https://the_instance_name.service-now.com/api/now/table/incident?sysparm_query=sys_created_on%3Cjavascript%3Ags.beginningOfLast2Years()%5Eassignment_group%3Dd625dccec0a8016700a222a0f7900d06&sysparm_limit=10

Note, due to the potential number of records, I've also added a limit using the syntax "&sysparm_limit=10".

To help others (and for me to gain recognition for my efforts), please mark this response correct by clicking on Accept as Solution and/or Kudos.

  Thanks, Robbie