Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

403 forbidden when calling an AI skill form a MCP client (Postman or MS Copilot)

Go to solution
arielgritti
Mega Sage

a month ago

Hi community,

I'm running a 403 forbidden error when trying to use an AI skill (incident summarization) published by a ServiceNow MCP server.

 

Scenario:
OAuth Client Credentials (with an integration user with ITIL role)
AI Skill (OOTB) requires ITIL role

Token is generated OK
I'm able to "connect" from both MCP clients (Postman and MS Copilot)
The "tool" is available

When trying to execute, 403 forbidden is the error.

Any idea? Any help is welcome.

Thanks,
Ariel

0 Helpfuls
  • 1,464 Views
1 ACCEPTED SOLUTION

Go to solution
arielgritti
Mega Sage
In response to arielgritti

a month ago

Hi colleagues,

I found it. The missing role is: sn_mcp_server.viewer
Granting this role to the service account user in OAuth config (+ ITIL as required by the AI Skill) I was able to execute it (incident summarization) from Postman

Thanks for your help and I hope my finding helps you.
Ariel

View solution in original post

9 REPLIES 9

Go to solution
arielgritti
Mega Sage
In response to arielgritti

a month ago

Hi @rpriyadarshy 
No records on sn_mcp_execution_logs.

So weird.

0 Helpfuls

Go to solution
arielgritti
Mega Sage

a month ago

Hi colleagues,

An update on "my case".
I was able to make it work changing the "integration user" by "my" (admin) user; then, for me, that action confirm a missing role/s. Now I need to know which role/s are missing.

0 Helpfuls

Go to solution
arielgritti
Mega Sage
In response to arielgritti

a month ago

Hi colleagues,

I found it. The missing role is: sn_mcp_server.viewer
Granting this role to the service account user in OAuth config (+ ITIL as required by the AI Skill) I was able to execute it (incident summarization) from Postman

Thanks for your help and I hope my finding helps you.
Ariel

Go to solution
adrian08
Tera Contributor

a week ago

@arielgritti  how did you exactly add the role? There is not user tied to OAUTH, just client id and secret, 

0 Helpfuls

Go to solution
arielgritti
Mega Sage
In response to adrian08

a week ago - last edited a week ago

Hi @adrian08 
We're able to add the user because we switched to Client Credentials OAuth type.
Doing that, an "OAuth user" is mandatory. Usually, there is when you create an "integration/functional" user and you can add the role.

 

Thanks for your help and I hope my finding helps you. If true, please mark it as helpful.
Ariel

0 Helpfuls