The CreatorCon Call for Content is officially open! Get started here.

"ACL Exception Insert Failed due to security constraints" on a CR Creation via API for the "Admin"

Go to solution
clerambeau3
Mega Contributor

Monday

Hi. I am new to ServiceNow. Please help.

I need to create a CR in a PDI via an API. The creation attempt takes place in an Ansible playbook. The user is "admin". This user can create CRs and upload attachments in the Web URL for the PDI by clicking the attachment icon. But the same doesnt work via an API. 

 

TASK [Create change request] *****************************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unexpected response - 403 b'{\"error\":{\"message\":\"Operation Failed\",\"detail\":\"ACL Exception Insert Failed due to security constraints\"},\"status\":\"failure\"}'"}

 

What privileges may I grant the "Admin" user so it can create CRs and upload attachments? 

There is an already existing thread opened by someone else: https://www.servicenow.com/community/secops-forum/error-quot-acl-exception-insert-failed-due-to-secu...

 

In the middle of it it has a screenshot of how to grant the ACL to the attachments table. But I do not know enough to get to that screen in the PDI Web URL:

 

https://www.servicenow.com/community/secops-forum/error-quot-acl-exception-insert-failed-due-to-secu...

 

So, how do I get there and what do I need to do so the "Admin" (or any other user for that matter) will be able to create/update/delete CRs?

 

Thank you.

0 Helpfuls
  • 238 Views
1 ACCEPTED SOLUTION

Go to solution
pavani_paluri
Tera Guru
Tera Guru
In response to clerambeau3

Tuesday

Please create ACLs for  sys_attachment_doc  table as well. Also ensure the servicaccount you are using have same role you give in ACL.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

View solution in original post

6 REPLIES 6

Go to solution
pavani_paluri
Tera Guru
Tera Guru

Monday

Hi @clerambeau3 ,

 

1.Log into your PDI
- Go to your ServiceNow instance URL (e.g., https://<your-instance>.service-now.com) and log in as the admin user.
2. Navigate to ACL Configuration
- In the ACL list view, click New to create a new ACL rule.
3. Create ACL for sys_attachment Table
- Type: record
- Operation: create
- Name: sys_attachment
- Requires role: Add admin or any custom role your API user has.
- Condition: Leave blank or set as needed.
- Script: You can leave this empty for basic access.
Repeat this for:
- sys_attachment with read, write, and delete operations.
- sys_attachment_doc with create, read, and write operations.
4. Verify Role Assignment
- Ensure the user has the necessary roles (e.g., admin, rest_api_explorer, or any custom roles you’ve used in ACLs).
5. Test API Access
- Retry your Ansible playbook or API call.
- Ensure you're using a valid Basic Auth or OAuth token with the correct user credentials.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

Go to solution
clerambeau3
Mega Contributor
In response to pavani_paluri

Monday

@pavani_paluri Thank you so very much for the step-by-step clearest instructions I have ever seen.

I am trying your solution now.

 

0 Helpfuls

Go to solution
clerambeau3
Mega Contributor
In response to pavani_paluri

Monday

@pavani_paluri thanks again, but your steps didn't help. I am sure this is because I am not following the steps correctly. I may be missing something. Your instructions are very clear.

Posting below screenshots of the ACLs I have created just now.

 

clerambeau3_0-1760981203319.png

Create a new record in attachment ACL (top):

clerambeau3_1-1760981280684.png

Bottom (for which role):

clerambeau3_2-1760981347775.png

The error I get in Ansible automation is the same:

 

TASK [Create change request] *****************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unexpected response - 403 b'{\"error\":{\"message\":\"Operation Failed\",\"detail\":\"ACL Exception Insert Failed due to security constraints\"},\"status\":\"failure\"}'"}

 

Thank you for your help, sir!

 

 

0 Helpfuls

Go to solution
pavani_paluri
Tera Guru
Tera Guru
In response to clerambeau3

Tuesday

Please create ACLs for  sys_attachment_doc  table as well. Also ensure the servicaccount you are using have same role you give in ACL.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P