Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

"ACL Exception Insert Failed due to security constraints" on a CR Creation via API for the "Admin"

Go to solution
clerambeau3
Giga Contributor

‎10-20-2025 04:32 AM

Hi. I am new to ServiceNow. Please help.

I need to create a CR in a PDI via an API. The creation attempt takes place in an Ansible playbook. The user is "admin". This user can create CRs and upload attachments in the Web URL for the PDI by clicking the attachment icon. But the same doesnt work via an API. 

 

TASK [Create change request] *****************************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unexpected response - 403 b'{\"error\":{\"message\":\"Operation Failed\",\"detail\":\"ACL Exception Insert Failed due to security constraints\"},\"status\":\"failure\"}'"}

 

What privileges may I grant the "Admin" user so it can create CRs and upload attachments? 

There is an already existing thread opened by someone else: https://www.servicenow.com/community/secops-forum/error-quot-acl-exception-insert-failed-due-to-secu...

 

In the middle of it it has a screenshot of how to grant the ACL to the attachments table. But I do not know enough to get to that screen in the PDI Web URL:

 

https://www.servicenow.com/community/secops-forum/error-quot-acl-exception-insert-failed-due-to-secu...

 

So, how do I get there and what do I need to do so the "Admin" (or any other user for that matter) will be able to create/update/delete CRs?

 

Thank you.

0 Helpfuls
  • 800 Views
1 ACCEPTED SOLUTION

Go to solution
pavani_paluri
Tera Guru
Tera Guru
In response to clerambeau3

‎10-21-2025 12:06 AM

Please create ACLs for  sys_attachment_doc  table as well. Also ensure the servicaccount you are using have same role you give in ACL.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

View solution in original post

6 REPLIES 6

Go to solution
clerambeau3
Giga Contributor
In response to pavani_paluri

‎10-21-2025 05:08 AM

@pavani_paluri Thank you.  As it turns out, the problem was not on the ServiceNow side. There was a discrepancy between the automation administrator and the ServiceNow administrator. apparently, they have to be one and the same.

Let me explain in case this issue arises in the future for others trying to automate SN. Here is the Ansible automation block opening a change request (this worked fine for Incidents creation, BTW!):

clerambeau3_0-1761047534552.png

The purpose of using the variables is that we create a VAR file looking like this:

clerambeau3_1-1761047659156.png

The VARs file is read only once, so there is no need to paste the credentials each time the ServiceNow ITSM is called to create/alter/delete an Incident or a Change Request. Another upside of using a VARs file is that it can be placed in the Vault and encrypted. So, eve the automation software doesn't see the credentials while it is using them.

However, in my case I made a mistake. The vars file had the default PDI creator account in it, the "aes.creator". So, it kept failing. But once the Ansible user that is logging into ServiceNow (the VARs file) became the same as the user running the ServiceNow ITSM the problem disappeared. I am now able to create CRs via an Automation API, even upload logs and files as attachments before closing:

clerambeau3_2-1761048237590.png

 

So, to reiterate, this was my issue. I should have known better. ServiceNow was not to blame. It did what it was supposed to do.

In any case, thank you for your help and please keep an eye for my future questions. I am new to SN and I am getting more and more fascinated by the product. It is much more than just a place to get my assignments from.

Nestor.

 

 

 

Go to solution
clerambeau3
Giga Contributor
In response to clerambeau3

‎10-22-2025 05:50 AM

Replying to own question, in case someone encounters the same issue in the future.

I went to the PDI and created a CR manually. Then I tried to go to the next step, whatever the internal business rules allowed, outside of automation. I determined that only these steps are allowed in the correct sequence: create, assess, schedule, implement, review, close.

I then simply added the automation steps in between. Then it started to work:

[ansible_admin@lnx000 ansible]$ time ansible-playbook ./playbooks/itsm_databases_password_change.yml -kK
SSH password: 
BECOME password[defaults to SSH password]: 

PLAY [Omni-Vendor Omni-Environment Emergency Password Rotation Process ID 2972.56] ***********************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Omni-Vendor Omni-Environment Emergency Password Rotation Process ID 2972.56 | 2025-10-22T12:43:39Z] ************************************************************************************************************************************************************
[WARNING]: The value 3 (type int) in a string field was converted to '3' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.
[WARNING]: Encountered unknown value open while mapping field state.
[WARNING]: Encountered unknown value 3 while mapping field close_code.
[WARNING]: Encountered unknown value  while mapping field close_code.
changed: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => 
  msg: Ansible is Starting the Omni-Vendor Omni-Environment Emergency Password Rotation Process ID 2972.56 Task | 2025-10-22T12:43:39Z

TASK [Change the New ServiceNow Refresh Task State to "In-Progress" | INC0010074  2025-10-22T12:43:39Z] **************************************************************************************************************************************************************
changed: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => 
  msg: Automation verified the timing and validity of the approvals for INC0010074 in ServiceNow | 2025-10-22T12:43:39Z

TASK [Prepare Process | 2025-10-22T12:43:39Z] ************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => 
  msg: Task INC0010074 | Approval 2025-10-22T12:43:39Z

TASK [Cache the main Incident INC0010074 All Playbooks to Re-Use | 2025-10-22T12:43:39Z] *****************************************************************************************************************************************************************************
ok: [localhost]

TASK [Write the main Incident INC0010074 Variable to the Temp Disk on CTRL+ Node | 2025-10-22T12:43:39Z] *************************************************************************************************************************************************************
changed: [localhost -> localhost]

TASK [Create main change request for INC0010074 | 2025-10-22T12:43:39Z] **********************************************************************************************************************************************************************************************
[WARNING]: Encountered unknown value Other while mapping field category.
changed: [localhost]

TASK [Cache the Change Request for INC0010074 | 2025-10-22T12:43:39Z] ************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => 
  msg: Task Emergency Password Rotation CHG0030117 for INC0010074 is now being closed | Approval 2025-10-22T12:43:39Z

TASK [Assess the CR CHG0030117 for INC0010074 after a successful execution on 2025-10-22T12:43:39Z] ******************************************************************************************************************************************************************
changed: [localhost]

TASK [Implement the CR CHG0030117 for Incident INC0010074 after a successful execution on 2025-10-22T12:43:39Z] ******************************************************************************************************************************************************
changed: [localhost]

TASK [Review the implementation of the CR CHG0030117 for INC0010074 after a successful execution on 2025-10-22T12:43:39Z] ********************************************************************************************************************************************
changed: [localhost]

TASK [Close the CR CHG0030117 for INC0010074 after a successful execution on 2025-10-22T12:43:39Z] *******************************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=16   changed=8    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   


real    0m18.004s
user    0m2.525s
sys     0m0.933s
[ansible_admin@lnx000 ansible]$
0 Helpfuls