Permissions required for DevOps tools

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Permissions required for DevOps tools

    This document outlines the necessary permissions for various DevOps tools to connect with ServiceNow. Proper configuration allows seamless integration, enabling Real-Time Data Access and workflow automation without manual setup from Azure DevOps administrators.

    Show full answer Show less

    Azure DevOps Permissions

    The following permissions are essential for Azure DevOps:

    • Work Items: Read permission is required to access boards and work items.
    • Code: Read permission is necessary for repositories, branches, commits, and tags.
    • Build: Read and execute permissions are needed to access build pipelines and control their execution.
    • Release: Read, write, and execute permissions are required for release pipelines.
    • Test Management: Read permission is essential for accessing test results.
    • Service Connections: Read, query, and manage permissions are needed to create service connections automatically.
    • Packaging: Read permission is required to access artifact repositories.
    • Project Administrators: Necessary for creating webhooks and service connections.

    Note: When using Personal Access Tokens (PATs), ensure the owner is part of the appropriate administrative group.

    Bitbucket Permissions

    For Bitbucket, the following permissions are required:

    • Account: Read permission to discover repositories and fetch relevant data.
    • Projects: Read permission for accessing repositories.
    • Webhooks: Read and write permissions to manage webhook configurations.
    • Pull Requests: Read permission for accessing pull request data.

    GitHub Permissions

    GitHub requires the following permissions based on authentication method:

    • Basic Authentication:
      • repo: Required to discover repositories and workflows.
      • admin:repohook: Write permission to create webhooks.
      • user:user:email: Required to access pull request actors.
    • OAuth 2.0 Authentication:
      • Actions: Read-only permission for workflows.
      • Contents: Read-only permission for repository content.
      • Deployments: Read and write permissions to resume workflows.

    GitLab Permissions

    GitLab needs the following permission:

    • api: Read and write permission to access various pipeline details and manage execution.

    Jenkins Permissions

    Jenkins requires:

    • Overall: Read permission for pipeline access.
    • Job: Required to discover detailed execution data.

    JFrog Permissions

    Jfrog permissions include:

    • Roles Administer Platform: Required to access artifact details.

    Jira Permissions

    For Jira, the necessary permissions are:

    • Groups: Required to discover plans and features.
    • Jira Administrators: Needed to create webhooks for real-time data fetching.

    Key Outcomes

    By ensuring the correct permissions are set across these tools, ServiceNow customers can enhance their DevOps integration, streamline workflows, and maintain real-time data synchronization, ultimately leading to improved operational efficiency and productivity.

    Permissions required in your third-party tool to connect to DevOps Change Velocity.

    Azure DevOps permissions

    Important:
    With the access level permissions specified in the following table in Azure DevOps, and the ServiceNow DevOps extension, you can connect to Azure DevOps from ServiceNow. Your Azure DevOps admin does not have to manually configure webhooks and service connections in Azure DevOps.
    Important:
    • When onboarding a Project, the Project Administrators privilege requires the owner of the PAT to be a member of the project's Project Administrators group.
    • When onboarding an Organization, the Project Administrators privilege requires the owner of the PAT to be a member of the organization's Project Collection Administrators group.
    Object Permissions required Impact
    Work Items Read Required to discover the boards and receive the work items either through import, polling, or real time with a configured webhook.
    Code Read Required to discover repositories and receive branches, commits, and tags either through import, polling, or real time with a configured webhook.
    Build Read and execute

    Read: Required to discover the build pipelines and receive pipeline execution details like stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with a configured webhook.

    Execute: Required to pause or resume the pipelines based on the change control step.
    Release Read, write, and execute

    Read: Required to discover the release pipelines and receive pipeline execution details like stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with a configured webhook.

    Write and Execute: Required to pause or resume the pipelines based on change control step.
    Test Management Read Required to receive test results for pipeline execution.
    Service Connections Read, query, and manage Required to create Service connection automatically which is used to configure ServiceNow tasks like change acceleration, artifact, and package registration, and so on.
    Packaging Read Required to discover the artifact repositories and receive the feeds and packages either through import, polling, or real-time with a configured webhook.
    Permissions Project Administrators Required to create webhooks automatically to receive data in real-time and to create Service connections automatically which is used to configure ServiceNow tasks like change acceleration, artifact and package registration, and so on.
    Limitation of Azure DevOps
    If you create an Azure tool with custom defined access level, and you reconfigure such a tool because of change in your Integration user credentials, then the existing service hooks for release created and release deployment are not updated. Instead, two new service hooks are created with new configuration details. To avoid the duplication of these service hooks, you must create the tool with full access level.

    Bitbucket

    Object Permissions required Impact
    Account Read Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook.
    Projects Read Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook.
    Webhooks Read and write Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook.
    Pull requests Read Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook.

    GitHub permissions

    The following table lists the GitHub permissions for basic authentication.

    Object Permissions required Impact
    repo repo Required to discover repositories and their respective workflows and receive branches, commits, pull requests, and tags either through import, polling, or real-time with a configured webhook.
    admin:repo_hook write:repo_hook Required to create webhooks automatically to receive repo data in real time.
    admin:repo_hook read:repo_hook Required to lookup already existing webhooks before any new webhook is automatically created to receive repo data in real time.
    user user:email Required to discover pull requests actors like approvers, raised by, merged by, reviewers, and assignees either through import, polling, or real time with a configured webhook.

    The following table lists the GitHub permissions required for OAuth 2.0 authentication.

    Object Permissions required Impact
    Actions Read-only Required to receive workflows associated to the respective repos real time with a configured webhook.
    Contents Read-only Required to discover repositories and its respective workflows and receive branches, commits, and tags either through import/polling or real time with a configured webhook.
    Deployments Read and write Required to resume the workflow which has environment with ServiceNow change as an environment secret.
    Environments Read-only Required to lookup for existing environment secrets for change creation.
    Metadata Read-only Required to discover repositories and its respective workflows.
    Secrets Read-only Required to get access to environment secrets (to create change).
    Webhooks Read and write
    Note:
    Read and write permissions are required to configure webhooks from ServiceNow.
    		 Required to create webhook automatically to receive repo data in real time.
    Pull requests Read-only Required to discover pull requests and receive related details like pull request ID, commits, raised by, approvers, comments, reviewers, etc., either through import/polling or real time with a configured webhook.
    Checks Read-only Required to process workflow events associated with private repositories.

    GitLab permissions

    Object Permissions required Impact
    api Read and write Required to discover plans, repos, and pipelines and receive branches, commit, and tags, and pipeline execution details (like stages, artifacts, test results, code security results), work items, tags, branches, and commits either through import, polling, or real time with a configured webhook. Also, to pause or resume the pipelines based on change control step.

    Jenkins permissions

    Object Permissions required Impact
    Overall Read Required to discover the pipelines and receive pipeline execution details like jobs or stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with ServiceNow DevOps Jenkins plugin.
    Job Read Required to discover the pipelines and receive pipeline execution details like jobs or stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with ServiceNow DevOps Jenkins plugin.

    JFrog permissions

    Object Permissions required Impact
    Roles Administer Platform Required to access artifact details like artifact name, artifact repo, and artifact version.

    Jira permissions

    Object Permissions required Impact
    Groups jira-software-users Required to discover plans and fetch features, stories, and so on, either through import, polling, or configured webhook.
    Permissions Jira Administrators Required to create webhooks automatically for fetching features and stories in real time.