Personal authentication and document access permissions in policy authoring

  • Release version: Australia
  • Updated June 5, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Personal authentication and document access permissions in policy authoring

    Policy authoring in ServiceNow enables users to link, create, and collaborate on policy documents hosted in Microsoft SharePoint or Google Drive directly from policy records. These documents undergo review and approval workflows before being published as Knowledge Base articles. To interact with these cloud services, ServiceNow requires authenticated API connections, supporting two authentication modes: system account authentication and personal authentication.

    Show full answer Show less

    Authentication Modes

    • System account authentication: Uses a shared service account for document operations (create, connect, upload, sync, and access management). Documents are registered under this account’s identity, resulting in audit trails reflecting the service account rather than individual users.
    • Personal authentication: Enables document operations to run under the individual user’s Microsoft O365 or Google credentials, preserving user identity in audit trails. Supported for Microsoft SharePoint and Google Drive (My Drive and Shared Drives), but not for Microsoft OneDrive.

    ServiceNow employs a hybrid authentication model where personal authentication handles create, connect, and upload operations, while system account credentials manage access permissions and content synchronization. The service account must maintain sharing access to all documents to ensure smooth permission updates and syncing.

    When personal authentication is enabled, users encounter a one-time authentication prompt per session to authorize access. For SharePoint, this leverages the existing Microsoft O365 session; for Google Drive, users select accounts and authenticate separately for Drive and Docs.

    Document Access Permissions

    Access to linked documents is automatically managed from ServiceNow based on the policy's workflow state and user roles associated with the policy:

    • Owner: Manages the policy record and authoring workflow.
    • Contributor: Drafts the policy document.
    • Reviewer: Reviews the policy document before approval.
    • Approver: Approves the policy for publishing.

    Access levels dynamically adjust as the policy progresses through states such as Draft, Review, Awaiting Approval, and Approved. It is crucial that user email addresses in ServiceNow match their Microsoft or Google accounts to ensure correct access provisioning.

    If a document linked to a policy is swapped, ServiceNow revokes access to the old document and grants access to the new one asynchronously, with a possible short delay in reflecting changes in the cloud location.

    Important Considerations

    • Document access permissions are managed one-way from ServiceNow to the cloud; manual changes in SharePoint or Google Drive are not synchronized back and will be overwritten when the policy state updates.
    • To prevent permission conflicts, it is recommended to manage document access exclusively through the Document Access tab in the ServiceNow policy record rather than directly in the cloud services.

    Policy authoring supports a hybrid authentication model that combines a shared system account with personal user credentials to enable document operations in Microsoft SharePoint and Google Drive.

    Policy authoring enables users to link policy documents hosted in Microsoft SharePoint or Google Drive to policy records in ServiceNow. Users can create, connect, or upload documents from a policy record and collaborate on the document in the cloud location. After the review and approval process is complete, the finalized document content is published as a Knowledge Base article in ServiceNow.

    To make API calls to Microsoft or Google, ServiceNow requires an authenticated connection to the respective cloud service. Policy authoring supports two modes of authentication for this connection:
    • System account authentication
    • Personal authentication

    System account authentication

    In system account authentication, document operations, such as creating, connecting, uploading, synchronizing content, and managing access permissions, run under a shared non-personal service account.

    When a user creates or uploads a document from a policy record, the document is registered in the cloud location under the service account identity, not the individual user's identity. As a result, the audit trail in SharePoint or Google Drive reflects the service account as the author or modifier of all documents, regardless of which user performed the action in ServiceNow .

    Personal authentication

    Personal authentication was introduced to address the loss of individual user identity in the audit trail. When personal authentication is enabled, the create, connect, and upload operations run under the logged-in user's personal Microsoft O365 or Google account credentials. Documents created or modified from ServiceNow are registered in the cloud location under the individual user's identity, enabling accurate audit traceability of who initiated each document operation.

    Personal authentication is supported for the following cloud locations:

    • Microsoft SharePoint
    • Google Drive (My Drive and Shared Drives)
    Important:
    Personal authentication is not supported for Microsoft OneDrive.

    Hybrid authentication model

    Enabling personal authentication does not replace the system account entirely. Policy authoring uses a hybrid model in which personal credentials and system account credentials each handle a specific set of operations.

    Operation Personal authentication enabled Personal authentication inactive (default)
    Create document Personal credentials System account
    Connect existing document Personal credentials System account
    Upload document Personal credentials System account
    Grant and update document access permissions System account System account
    Sync document content (Update link) System account System account

    As document access permissions and content sync always run under the system account, the service account must have sharing access to all documents hosted in SharePoint or Google Drive, even when personal authentication is enabled. If the service account does not have the required access, document access updates and content sync operations will fail.

    Note:
    When a user performs a create, connect, or upload operation for the first time in a session with personal authentication enabled, a one-time authentication prompt appears. For SharePoint, the prompt uses the logged-in Microsoft O365 session automatically. For Google Drive, the prompt requires the user to explicitly select an account from the account picker, followed by two separate authentication steps — one for Google Drive access and one for Google Docs access. After the token is generated, the prompt does not appear again for subsequent operations in the same session.

    Document access permissions

    When a document is linked to a policy record, ServiceNow automatically grants access to the document for the users associated with the policy. Access is managed from ServiceNow to the cloud location only. Changes made directly to document permissions in SharePoint or Google Drive aren't reflected back in ServiceNow.

    The four roles involved in policy authoring are:

    • Owner: The policy owner who manages the policy record and drives the authoring workflow.
    • Contributor: Users who contribute to drafting the policy document.
    • Reviewer: Users who review the policy document before approval.
    • Approver: Users who approve the policy before it is published.

    The access level granted to each role in the cloud document changes as the policy moves through its workflow states.

    Policy state Owner Contributor Reviewer Approver
    Draft Edit Edit
    Review Edit View Edit View
    Awaiting Approval View View View View
    Approved View View View View
    Note:
    Access levels are granted based on the email address configured for each user in ServiceNow. Verify that each user's email address in ServiceNow matches their Microsoft or Google account to confirm access is granted correctly.

    Behavior when a document is swapped

    If a policy owner changes the document linked to a policy record by connecting a different document, the access permissions on the previous document are revoked and new access permissions are granted on the replacement document. This applies to both SharePoint and Google Drive.

    Document access updates run asynchronously. There may be a short delay before the updated access is reflected in the cloud location after a document is swapped.

    One-way permission sync

    Document access permissions are managed in one direction only, from ServiceNow to the cloud location. If a user manually modifies document permissions directly in SharePoint or Google Drive, those changes aren't captured in ServiceNow. The next time the policy changes state, ServiceNow will overwrite the manually applied permissions with the access levels defined for that state.

    To avoid permission conflicts, manage document access through the Document access tab in the policy record rather than directly in SharePoint or Google Drive.