Create a Service Account and assign Roles

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Create a dedicated non-interactive Service Account in User Administration and assign the appropriate SQL API access role to enable secure, programmatic access for BI tools and analytics platforms.

    Before you begin

    Role required: admin

    About this task

    To enable SQL API access for BI tools and analytics platforms, you must create a dedicated Service Account (non-interactive user) in your ServiceNow instance and assign the appropriate role. Service Accounts are the recommended approach for programmatic access. Using personal user accounts is not supported, as reports and dashboards will fail if that user's permissions change or the user leaves the organization.

    You can create multiple Service Accounts, each with different roles and access levels. For example, one account may have ODBC access to a limited set of tables, while another has JDBC access to a broader dataset. This lets you apply granular access control per integration or team.

    Note:
    Consider creating Service Accounts for BI implementations to maintain report continuity. Personal user accounts are not supported as the reports and dashboards will fail if the user loses access permissions or leaves the organization.

    Procedure

    1. Navigate to All > User Administration > Users.
    2. Select New.
    3. On the User form, fill in the following fields:
      Table 1. User form
      Field Description
      User ID Unique identifier for this service account's login username. For example: odbc.user, jdbc.user, or sqlapi.user.
      First name Optional for service account.
      Last name Optional for service account.
      Identity Type Type. Select Machine from the dropdown list. This designates the account as a non-interactive user, meaning it can only connect to ServiceNow from an API protocol.
      Password needs reset

      Do not check this check box as this is a machine account. To set a password for this service account, save the record first, then in the list view double-click (or use the keyboard shortcut) the Password field for this account and set the password.
      Do not change any other settings.
      Note:
      Non-interactive (Machine) users cannot complete MFA challenges. Confirm that MFA is turned off for all SQL API Service Accounts.
    4. Select and hold (or right-click) the form header and select Save.
    5. On the Roles tab, select Edit.

      Each Service Account must be assigned at least one role to determine which SQL API protocol it is permitted to use. You can assign a single role or both roles to one account, or create separate accounts for each. Admins should consider using separate accounts with different roles when different security policies or access levels apply.

    6. In the Collection list, select one or all of the following roles and move them to the Roles list:
      • To access data via the ODBC driver, choose sn_odbc_rest_access.
      • To access data via the JDBC driver, choose sn_jdbc_rest_access.
      • To turn off row and field-level checks at the Service Account level, choose sn_sql_api_privileged_mode.
      Selecting desired roles in the Collection list.

      Make sure that service account has the required roles with read-access enabled on the desired tables.

    7. Select Save.

    Result

    The Service Account is now created with the appropriate SQL API access role. This account can be used to authenticate ODBC or JDBC connections from BI tools and analytics platforms. The account will only be able to query tables for which explicit access has been granted through Access Control Lists (ACLs). See Create Access Control Lists (ACLs) for SQL API.