Hello!

I like the idea of having inbound (to ServiceNow) REST integrations start to use the client credentials grant type for several reasons, which I'll leave out for now for brevity. To use the client credentials grant type, one only needs to specify the grant_type (of "client credentials"), client_id, and client_secret to the oauth_token.do endpoint - simple!

Using a catalog item and flow designer, we can also automate the provisioning of the application registry, which creates the client id and secret - awesome!

There's one configuration that I can't get past - the OAuth Application User that must be specified in the Application Registry (see KB1645212). I understand why it's there based on ServiceNow's security model. I also understand that records created or updated via API actions still need to have a "sys_created_by" and "sys_updated_by" for audit trails on those records. 

However, having to maintain a sys_user record, which is what the OAuth Application User is, in combination with client credentials just seems...odd. User records need to have passwords rotated to comply with security policies. As a ServiceNow admin, I don't want to have manage password rotation. If a team integrates with ServiceNow, but using client credentials they don't specify a username and password, then the user record is just "extra." All they really care about is the client id and secret, and that their REST operation works. 

Typically speaking, teams will want to test their integrations in non-prod environments as well. Which means now we are not only managing one account, but several, which adds considerations to clone operations. 

Looking for your experience, community! How have you handled this scenario?