Over the last few weeks I've noted that the Service Now Docs portal seems to have a few pages outlining the roles you should require if you want to interface with your instance via the REST API.

Specifically it notes the following:

1) If you wish to view the REST API Explorer, this page walks you through doing that.

Getting started with REST - access the REST API Explorer

This one is fairly straight forward. The REST API Explorer is a visual tool to help you build and review, REST API calls. It itself doesn't make any calls (other than testing) but it's a great starting point to get your bearings as you begin building in REST API calls elsewhere which will leverage this.

2) Now, moving on. What if I have an external process (PowerShell Script, other script, other web service), which I want to use to query my CMDB and pull some records out. What do I need in order to do that?

Getting started with REST - retrieve existing incidents

This article outlines what you need in order to begin actually making calls via this web service. Of note, it indicates you require one of the following roles: web_service_admin, rest_api_explorer, or admin.

3) Here is where things get confusing for me. See this article: SOAP roles. In this article, it goes everything the roles related to the SOAP API.

Now, let's fast forward to today's problem. I'm getting started with ServiceNow, automation and more specifically, orchestration and as a first step have requested our SNOW group provision me a service account which I will use to make the REST API calls from within whatever script or service I'm working from. Here's what I've been given so far:

- My domain account which I use to log into our SNOW portal has been granted the role: REST_API_EXPLORER. And, as expected, it allows me to view the REST API Explorer window while logged in as me.

- I have a service account now which has been granted the role: soap_ecc.

Now, I'm not using SOAP. Don't want to, don't plan on it. Yet I can make GET HTTP calls to the REST API web service, and they are successful, using this account. So here's my questions(s).

1) Why is this the case? Does the SOAP web service use the same listeners as the REST API web service so at this level, the roles do the same? I would have expected the service account would require at least one of the roles outline in the 'Getting Started with REST' article above, yet that doesn't seem to be the case.

2) If the above is true, then I worry that we really don't properly understand what roles we need for each. I was under the impression that my regular account would require the REST_API_EXPLORER role to work in the REST windows, and that my service account would require the WEB_SERVICE_ADMIN role to properly communicate with the REST API web service.

Where am I going wrong? Is there some role inheritance here that I'm missing? Why do I require any SOAP related roles at all, anywhere? Just looking for some clarification on how all of this is laid out.

Thanks,