Built something you're proud of? Tell the story. A quick G2 review of App Engine or Build Agent helps other developers see what's possible on ServiceNow. Share your experience.

403 forbidden when calling an AI skill form a MCP client (Postman or MS Copilot)

Go to solution
arielgritti
Mega Sage

a month ago

Hi community,

I'm running a 403 forbidden error when trying to use an AI skill (incident summarization) published by a ServiceNow MCP server.

 

Scenario:
OAuth Client Credentials (with an integration user with ITIL role)
AI Skill (OOTB) requires ITIL role

Token is generated OK
I'm able to "connect" from both MCP clients (Postman and MS Copilot)
The "tool" is available

When trying to execute, 403 forbidden is the error.

Any idea? Any help is welcome.

Thanks,
Ariel

0 Helpfuls
  • 1,460 Views
1 ACCEPTED SOLUTION

Go to solution
arielgritti
Mega Sage
In response to arielgritti

a month ago

Hi colleagues,

I found it. The missing role is: sn_mcp_server.viewer
Granting this role to the service account user in OAuth config (+ ITIL as required by the AI Skill) I was able to execute it (incident summarization) from Postman

Thanks for your help and I hope my finding helps you.
Ariel

View solution in original post

9 REPLIES 9

Go to solution
Tanushree Maiti
Kilo Patron

a month ago

Probable cause could  be:

 

1. If your ServiceNow instance has IP filtering, and your client (Postman/Copilot) is running from an un-whitelisted IP address, it will return a 403.

2.   Impersonate the integration user and try to run the REST query directly via the ServiceNow REST API Explorer to identify which table ACL is denying access.

   - Give the proper role to Integration user

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:

Go to solution
arielgritti
Mega Sage
In response to Tanushree Maiti

a month ago

Hi @Tanushree Maiti 
Thanks for your answer.
1. Discarded. I've access, no IP filtering (it's working for me "admin" user)

2. Good point, I'll try

Thanks,
Ariel

Go to solution
rpriyadarshy
Tera Guru

a month ago

@arielgritti 

 

Check for the real denial reason : Open MCP Execution Logs table sn_mcp_execution_logs and capture the response body + transaction ID; the 403 payload typically names the exact ACL / policy blocking the call.

 

Let us know what you see there?

 

Regards

RP

Go to solution
arielgritti
Mega Sage
In response to rpriyadarshy

a month ago

Hi @rpriyadarshy 
Thanks for your answer.
We tried that approach before, without success. But I'll try again.

Thanks,
Ariel

0 Helpfuls