Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Delegating access to app's credential?

Mikael Karlsson
Kilo Sage

‎01-11-2024 05:46 AM - edited ‎01-11-2024 05:59 AM

We are using a shared development instance between multiple teams, where each initiative or project gets a separate application scope (classic studio) created and developers delegated to it (without being admins on the instance).

 

When these developers develop and test Flow Actions, they can't use the credential alias from the same application without first being granted credential_admin which we don't want to do. Is there something we are missing, doesn't it make sense that developers of an app could use the credential related to that app on that instance?

  • 383 Views
2 REPLIES 2

Steve H3
Tera Contributor

4 hours ago

@Mikael Karlsson , wondering where you landed with this?  We are in a similar situation and looking for a solution.  Thanks!

0 Helpfuls

Renat Akhmedov
Tera Guru

4 hours ago

Hi @Mikael Karlsson

This is the expected behavior of IntegrationHub credential security. Out of the box, developers cannot use Credential Aliases unless they have credential_admin (or the IntegrationHub admin roles), even if they are the developers of a scoped application. ServiceNow intentionally separates app scope access from credential access.

In my previous workplace, I used this pattern: 
Created a custom roles x_your_app.cred_user and u_integration_cred_user, 

Add ACLs on the credential tables to allow read/use for that role:

sn_ih_cred_profile

sn_ih_credential_alias

(depending on version, also sn_integration_credentials)

Assign that role only to the developers of that app (through a group).

It was helpful to allow developers to use the credential alias inside Flow Actions, test their integration normally without giving them credential_admin or admin, and without exposing all instance credentials, only the ones you allow. You can also restrict the ACL so the role only applies to aliases associated with your specific application.


Hope it helps you, and if my answer was helpful, please don’t hesitate to give it a thumbs-up - it only takes a second, but it means a lot to me. Thank you!

Best regards,
Renat Akhmedov

0 Helpfuls