Keeping credentials records secure but have any ServiceNow user have read access to make requests
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
Hi all,
I'm wondering what are the best practices when developing a ServiceNow app that creates a new table that keeps 3rd party platform credentials, but have the ability to let any ServiceNow user be able to use those credentials to make requests to the 3rd party platform. Are there more than the below options to accomplish this? Is there a way to hide the credentials from users but still let them make requests?
1. Add a new role and create an ACL to read the table with this role. Any ServiceNow user that wants to make requests need to have this role.
2. Add a new ACL to the table with read access with Public role, but add the security condition that the user must be logged in to ServiceNow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
You should store third party platform credentials in a secured encrypted credentials table (e.g...sys_credentials or discovery_credentials) with strict acl preventing direct user read access (as the platform automatically encrypts the password and it cannot be viewed once saved) and instead build a service layer (script include, Flow Designer action or catalog item UI) that allows any logged in user to trigger the integration using those credentials without ever exposing them, so you achieve the dual goal of making the functionality broadly available while keeping the secrets hidden and managed securely.....
If you found my response helpful, please mark it as ‘Accept as Solution’ and ‘Helpful’. This helps other community members find the right answer more easily and supports the community.
Kaushal Kumar Jha - ServiceNow Consultant - Lets connect on Linkedin: https://www.linkedin.com/in/kaushalkrjha/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
Thanks for the reply. I am already using a script include to access the table...when you say "allows any logged in user to trigger the integration", how would you achieve this? It seems to me the access roles of the user are used even in a script include, so if the table is not accessible to anyone (ACL with public role and security condition of logged in is true), then it would still not be able to be accessed by anyone in ServiceNow.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
So not sure if this is the best way, but I was able to get a non-admin user with no read access to a credentials table by creating a basic auth credentials in table sys_auth_profile_basic and then using the following code in a script include to make a request:
const restMessage = new sn_ws.RESTMessageV2();
restMessage.setAuthenticationProfile("basic", "<sys_id_of_sys_auth_profile_basic>");
Is this the best way? Also, the 3rd party platform also supports using a 2 legged OAuth scheme that accepts a username, password, and client ID. Is there a way to use a 2 legged OAuth scheme with
