Microsoft Copilot integration with ServiceNow — access/permission issues during indexing.

Problem: Copilot connector fails with permission errors when indexing ServiceNow tables (task, sys_user,
sys_user_has_role, sys_user_grmember, sys_user_group, sys_user_role, cmn_location, cmn_department, core_company), even though the integration user can see the data when impersonating.

Root Cause Analysis

The Microsoft Graph connector for ServiceNow uses the REST API (Table API), not the UI. The user seeing data in
the UI doesn't mean the REST API has access. Common causes:

1. ACLs block REST but allow UI — The rest_service access type must be explicitly allowed. Check ACLs on each
table for type = rest_service or type = *.
2. Missing web_service_admin or rest_api_explorer role — The integration user needs roles that grant REST Table
API access, not just ITIL/reader roles.
3. Cross-scope ACLs — If tables are in Global scope, the connector's OAuth app must have Global scope access.
4. OAuth token scope too narrow — The ServiceNow OAuth application must grant useraccount scope at minimum. Check
sys_oauth_entity for the registered app.
5. IP access control — ServiceNow may restrict API access by IP range (glide.rest.ip_restriction).

Recommended Fix Steps

1. Grant the integration user: snc_read_only + web_service_admin
2. Verify ACLs: sys_security_acl.list → filter each table → ensure a REST-type read ACL exists
3. Check OAuth: sys_oauth_entity.list → verify token has correct scope and isn't expired
4. Test directly: hit /api/now/table/task?sysparm_limit=1 with the integration user's credentials to isolate
ServiceNow vs Copilot