How To Configure oAuth for Create of Security Incident Response Record

fcaruso123 · 12 hours ago

We are on Yokahamma.

Trying to configure oAuth2 to allow create for SIR. I am able to setup up the oAuth registry, using grant type Client Credentials:

The associated account is setup as a basic account with snc_internal (default). Using Postman I can retrieve a token and use that token on a scripted end point call to create an SIR record. But what I am not able to do is restrict the oAuth registration using profiles and scopes. Once the token is retrieved in can create records in other tables and end points. My understanding is that creating a scope like "sn_si" would limit access but it does not.

Its_Azar · 9 hours ago

Hi there @fcaruso123

I think OAuth scopes in SN do not restrict table-level access. They only control which APIs can be invoked, not CRUD permissions on tables.

Once a token is issued, SN relies entirely on the integration user’s roles and ACLs to authorize record creation. That’s why creating a custom scope like sn_si does not prevent access to other tables.

The correct WAYY is to use a dedicated integration user with minimal roles and enforce access via Create ACLs on sn_si_incident. OAuth handles authentication; ACLs handle authorization.

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,
Azar
Serivenow Rising Star ⭐
Developer @ KPMG.