What is the difference between Internal integration user and web service access checkbox in sys_user table?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2021 05:36 AM
Hi,
As per the servicenow recommendation here, Mark service accounts as internal integration users. What is the difference between internal integration user checkbox and web service access only checkbox. What will happen if internal integration user checkbox is set to true?
- 6,343 Views

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2021 05:50 AM
Hi there,
Personally never used the Internal Integration User checkbox, though the Docs mentions:
"If your instance uses these SOAP interfaces, you can allow them to bypass the WS-Security authentication requirement by marking their user accounts as internal integration users."
While Web service access only is the known checkbox for when checks, accounts not being able anymore to login to the UI.
If my answer helped you in any way, please then mark it as helpful.
Kind regards,
Mark
2020-2021 ServiceNow Community MVP
2020-2021 ServiceNow Developer MVP
---
LinkedIn
Community article list
Kind regards,
Mark Roethof
Independent ServiceNow Consultant
10x ServiceNow MVP
---
~444 Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2021 04:07 AM
Hi,
Can you please describe the term "bypass" here. What it will actually do if we enable the checkbox?
If your instance uses these SOAP interfaces, you can allow them to bypass the WS-Security authentication requirement by marking their user accounts as internal integration users."

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-14-2025 11:47 AM
Since this came up as one of the top results in Google, here's what I've found:
Mark service accounts as internal integration users (Yokohama)
The documentation indicates that this is specifically for SOAP requests as Mark mentioned. The explanation he left out is this:
"When WS-Security is enabled, authentication is required for all SOAP requests including internal integration communications such as the MID Server, ODBC Driver, Remote Update Sets, and high availability cloning. SOAP requests for these internal integration communications cannot implement WS-Security due to technical implications. If your instance uses these SOAP interfaces, you can allow them to bypass the WS-Security authentication requirement by marking their user accounts as internal integration users."
My interpretation of that is that it is a role designed for those specific features which ServiceNow has already implemented and do not support WS-Security (Yokohama). Other types of SOAP requests should be able to go through the WS-Security authentication process. (I've included Yokohama links because the latest-version feature seems to be down right now)
Knowing that, the only case for using that role is:
1) You are using SOAP
2) You are using WS-Security profiles with SOAP
3) The thing you're connecting via SOAP does not support WS-Security functionality
So the Internal Integration User option would actually decrease your overall security stance.
tl;dr: Don't use Internal Integration User. Do use Web Service Access Only.