Read-only service accounts for integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
I am creating OAuth API endpoints for external clients, specifically for infosec scanning and logging tools like Splunk or Palo Alto SSPM or Valence. I want to I grant the respective service accounts both admin and snc_read_only roles.
However I think this blocks the ability to register the client, create the auth token, or update refresh tokens.
Should I add the oauth_credentials table to glide.security.snc_read_only_role.tables.exempt_write ?
What other tables might I need to add to allow a proper integration?
https://www.servicenow.com/docs/r/platform-administration/user-administration/c_ReadOnlyRole.html
Once the integrations have been established the records on User table would be toggled from Human to Machine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
I just ran into this issue and Now Support said that you cannot use snc_read_only role if using Oauth. They didn't even bring up this system property. This sound like it would fix the issue instead of removing snc_read_only role.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
I was just reading Valence's instructions on setting up a ServiceNow read-only service account, and they were atrocious: Custom Role and 30+ custom ACLs, and I knew there had to be a better way. Started diving into snc_read_only product docs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Found a KB article
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0817646
that also called out user_multifactor_auth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
As per KB : KB0783404 User unable to get an OAuth 2.0 access token
probable Resolution
You can keep the snc_read_only role for the user but allow an exception where they can write to the oauth_credential table.
Please verify this on a subprod instance first:
1. Create a new system property.
Name: glide.security.snc_read_only_role.tables.exempt_create
Type: string
Value: sys_user_session, sysevent, syslog, syslog_transaction, sys_user_preference, sys_ui_list, sys_ui_list_element, sys_db_cache, user_multifactor_auth, oauth_credential
You're retaining the default (back-end) value as documented here: Read-only role
and adding only the necessary oauth_credential table.
Similar issue has been discussed KB0817646 snc_read_only users not able to access Mobile Apps
