Permissions-based access control

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Permissions-based access control

    This content explains how ServiceNow’s Now Assist platform uses permissions-based access control to ensure AI agents operate securely and with least-privilege access. AI agents perform tasks ranging from simple automation to complex problem solving, and must be restricted by roles and Access Control Lists (ACLs) to prevent unauthorized actions or data access. The system enforces access boundaries through agent role inheritance, identity types, role masking, and user identity verification.

    Show full answer Show less

    Key Features

    • Access Control Lists (ACLs): Define who can invoke an AI agent and which data the agent can access once invoked.
    • User Identities: Determine the scope of data access for AI agents during operation.
    • Role Masking: Allows administrators to create an allow-list of roles that AI agents and workflows inherit from invoking users, enforcing least-privilege access during tool execution.
    • Guided Security Configuration: Step-by-step setups for AI agents, agentic workflows, and custom skills to specify user and data access permissions.
    • Manual Access Testing: Enables verification that only authorized users can discover and invoke AI agents or workflows.
    • Role Definitions: Documentation of Now Assist admin roles, including roles for creating, editing, configuring skills and settings, and read-only console access.

    Key Outcomes

    • AI agents operate strictly within defined permission boundaries, minimizing risks of unauthorized access or actions.
    • Administrators can precisely control which users and roles can invoke AI agents or workflows and what data they can access.
    • Role masking ensures agents inherit only necessary permissions from users during execution, supporting least-privilege security principles.
    • Guided configuration and testing improve security posture by simplifying setup and validation of access controls.
    • Clear role references help administrators manage permissions efficiently, ensuring compliance and governance of AI agent activities.

    Use Agent Role Inheritance, identity types, and granular roles to verify your AI agents have only the permissions they need, and can act only within their intended boundaries.

    ServiceNow uses AI Agents to perform tasks that range from simple automated responses to complex problem solving. AI agents are restricted by their assigner roles, and are subject to the same ACL limitations as standard users.

    Now Assist provides several mechanisms to enforce least-privilege access across your
    • Access control lists (ACLs) that determine who can invoke an agent, user identities that define what data an agent can access once invoked.
    • Role masking that limits inherited permissions during tool execution
    These controls help avoid agentic overreach and verify that AI agents operate within boundaries you define.

    Access controls for AI agents

    The following topics describe how to implement, configure, and verify access controls for Now Assist AI agents and agentic workflows.

    Implement access control in Now Assist AI agents
    Understand how ACLs and user identities work together across agentic workflows, AI agents, and tools to control who can invoke an agent and what resources it can access once invoked.
    Role masking in Now Assist AI agents
    Use role masking to define an allow-list of roles that agentic workflows and AI agents can inherit from invoking users, enforcing least-privilege access during tool execution.
    Define security controls for an AI agent
    Step through the AI agent guided setup to configure who can access an agent and what data it can act on, covering both user access and data access settings.
    Define security controls for an agentic workflow
    Step through the agentic workflow guided setup to configure who can access a workflow and what data it can act on, covering both user access and data access settings.
    Test user access to an AI agent
    Run a manual access test to confirm that only the intended users can discover and invoke a given AI agent.
    Test user access to an agentic workflow
    Run a manual access test to confirm that only the intended users can discover and invoke a given agentic workflow.
    Configure security controls for a skill
    Configure access control for custom skills built with the Now Assist Skill Kit to manage who can invoke skill-based functionality.

    Roles and permissions reference

    The following reference topics describe the roles installed with Now Assist and what each role permits.

    Now Assist Admin roles
    A reference list of the roles installed with Now Assist Admin, including the permissions required to activate and manage Now Assist features and skills.
    Now Assist Admin [sn_nowassist_admin.nsa_admin]
    Details the sn_nowassist_admin.nsa_admin role, which allows users to create, edit, and configure Now Assist skills and settings.
    Now Assist Admin console user [sn_nowassist_admin.user]
    Details the sn_nowassist_admin.user role, which provides read-only access to the Now Assist Admin console.