Create Access Control Lists (ACLs) for SQL API

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Configure table-level access control using the egress_sql and read operations to grant Service Accounts query access to specific tables through the SQL API.

    Before you begin

    Role required: security_admin

    Make sure the following prerequisites are in place:

    • You have created a Service Account and assigned it the sn_odbc_rest_access or sn_jdbc_rest_access role.
    • You have identified which ServiceNow tables need to be accessible via the SQL API.

    About this task

    Access to tables through the SQL API is not granted globally. For each table that a Service Account needs to query, you must create two Access Control Lists (ACLs): one for the egress_sql operation (which controls SQL API data export) and one for the read operation (which controls record-level access). A Service Account can only query tables for which both ACLs have been explicitly configured.

    You must repeat this procedure for each table and each role combination that requires SQL API access. If you have multiple Service Accounts with different roles, you may need to create separate ACLs for each role and table combination.

    Procedure

    1. Navigate to All > System Security > Access Control (ACL).
    2. Select New.
    3. On the Access Control form, configure the first ACL for the egress_sql operation:
      Field Description
      Operation Select egress_sql from the drop-down list. This operation controls whether data can be exported via the SQL API.
      Decision Type Allow if
      Name Select the table you want to grant access to (for example, incident [incident] or cmdb_ci).
      Requires role Enter the role assigned to your Service Account (for example, sn_odbc_rest_access or sn_jdbc_rest_access).
    4. Right-click the form header and select Save.
    5. Select New to create the second ACL for the same table.
    6. On the Access Control form, configure the second ACL for the read operation:
      Field Description
      Operation Select read from the drop-down list. This operation controls record-level access to the table.
      DEcision Type Allow if
      Name Select the same table you specified in the egress_sql ACL.
      Requires role Enter the same role you specified in the egress_sql ACL.
    7. Right-click the form header and select Save.
    8. Repeat steps 2 through 7 for each additional table that requires SQL API access.
      You have now created both required ACLs (egress_sql and read) for each table.

    Result

    You have successfully configured table-level access control for the SQL API. The Service Account can now query the tables for which both egress_sql and read ACLs have been created, subject to the role requirements you specified.

    Remember that access is granted on a per-table basis. If you need to grant access to additional tables, or if you create additional Service Accounts with different roles, you must repeat this procedure to create the appropriate ACLs.