RUn flows with Service account

AnthonyMull · a month ago

Hi community

is there a way to run flows as a service account that I create in the user table.

I can only see options to run as system user or as user who initiates flow.

thanks in advance

NavinAgarwal · a month ago

I have not tried the below solution but please try and see if it works for your requirement. I am very interested to know if this is going to work.

Using Roles with the System User:
This method allows a user account to run a flow, and the flow will have the permissions of that user.

Locate Flow Properties: In Flow Designer, select More Actions and then click Properties.
Select "Run As System User": Choose this option to have the flow run with specific roles.
Add Roles: Click the Add role icon and select the roles that are assigned to your service account.

Using a Subflow for Impersonation:
If you need to execute the flow as a specific user in real-time, you can create a subflow that runs as a user, or use a flow that is designed to run as a specific user.

Create a Subflow: Build a separate subflow that will contain your core logic.
Set Subflow Properties: In the subflow's properties, you can select an option to run it as a specific user. This user can be your designated service account from the User table.

Important Considerations:

User ACLs: When a flow runs as the user who initiated the session, its actions are limited by the user's Access Control Lists (ACLs).
System User: The System User is not a record from the User table, but a concept that allows flows to run with elevated permissions.
Auditing: Using a specific service account helps to reflect that user's name in the audit history, which is useful for auditing purposes.

If you found my response helpful, could you please mark it as ‘Accept as Solution’ and ‘Helpful’? This small action goes a long way in helping other community members find the right answers more easily and supports the community.

View solution in original post

NavinAgarwal · a month ago

Hi @AnthonyMull - I am so glad that the solution worked for you, could you please mark it as ‘Accept as Solution’ and ‘Helpful’? This small action goes a long way in helping other community members find the right answers more easily and supports the community.

View solution in original post

anurampalli · a month ago

Hi @AnthonyMull

I wondered about this too a while ago. Now, I have this crazy idea, can we impersonate users in a Flow? If so, once the flow is triggered, can we run the rest of the steps as a different user (maybe configured in properties and picked up for impersonation)?

Very interesting!

AndersBGS · a month ago

Hi @AnthonyMull ,

No, not to my knowledge. But at the same time I could ask - what is the reason for trying to do this? Either you have a system user with right privilege to run the flows or you are running the flow as the user. What should the reason be for a 3rd option?

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

AnthonyMull · a month ago

Hi @AndersBGS

The reason is simple, based on least permissions principal, service accounts should only be allowed to do the things within their remit.

For example, if I have say 30 flows related to catalog items, and these flows should only, create tasks, update RITMs and requests, then the user running the flows should only have those permissions.

If the flow is running as a user can could potentially update many of CIs in our CMDB then having a service account to prevent this, will add an extra layer of security.

I hope this makes sense.

Ankur Bawiskar · a month ago

@AnthonyMull

Not supported.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader