Configure SQL API plugin on your ServiceNow instance

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configure SQL API plugin on your ServiceNow instance

    Configuring the SQL API plugin on your ServiceNow instance enables integration with external BI tools and analytics platforms such as Power BI, DB Visualizer, or custom ODBC/JDBC clients. This integration enhances your reporting and data analysis capabilities by allowing secure, programmatic access to ServiceNow data.

    Show full answer Show less

    The configuration requires a system administrator to perform three sequential steps. Each step must be completed before proceeding to the next to ensure proper setup and security.

    Prerequisites

    • System administrator access to your ServiceNow instance.
    • SQL API plugin installed on the instance.
    • Consultation with your network team to identify IP address ranges for ODBC/JDBC client machines.
    • Identification of ServiceNow tables that need to be accessed via the SQL API.

    Configuration Steps

    • Create a Service Account and assign Roles: Create a dedicated, non-interactive (machine) Service Account in User Administration. Assign the snodbcrestaccess or snjdbcrestaccess role. Multiple Service Accounts can be created with different roles and restrictions for various integrations or teams. To disable table, row, and field-level access checks, assign the snsqlapiprivilegedmode role to the Service Account.
    • Create Access Control Lists (ACLs) for SQL API: For each table that the Service Account needs to query, configure two ACLs: one for the egresssql operation (SQL API data export) and one for read (record-level access). This ensures granular, table-level access control.
    • Create IP filter criteria: Define and restrict which IP addresses or IP ranges are allowed to connect via the ODBC/JDBC driver. By default, all IPs are blocked. Configure the SQL API Authentication Policy with an IP filter and related policy condition to permit access only from trusted client machines.

    Expected Outcomes

    • The Service Account(s) will be able to connect to your ServiceNow instance through ODBC or JDBC and query only the tables explicitly allowed by configured ACLs.
    • Multiple Service Accounts allow separate, independently managed access for different BI tools or teams.
    • Access is granted on a per-table basis; global access is not provided. Both egresssql and read ACLs must be configured per table.
    • Service Accounts must be used instead of personal user accounts to ensure continuity and avoid disruptions if individual users lose access or leave the organization.
    • Multi-factor authentication (MFA) must be disabled for SQL API Service Accounts since non-interactive users cannot complete MFA challenges.

    Overview of the three-step configuration process required to enable SQL API access including prerequisites and expected outcomes.

    Configuring the SQL API on your instance enables you to integrate your ServiceNow data with external BI tools and analytics platforms such as Power BI, DB Visualizer, or custom ODBC/JDBC clients, enhancing your reporting and data analysis capabilities.

    This configuration requires a system administrator to complete three sequential procedures. Complete each procedure before proceeding to the next.

    Before you begin

    Verify the following prerequisites are in place before starting:

    • You have system administrator access to your ServiceNow instance.
    • The SQL API plugin is installed on your instance.
    • You consulted your network team to identify the IP address range for your ODBC/JDBC client machines.
    • You identified which ServiceNow tables must be accessible via the SQL API.

    Configuration steps

    Complete the following three procedures to configure SQL API access on your instance:

    Step Procedure Description
    1 Create a Service Account and assign Roles Create a dedicated non-interactive (Machine) Service Account in User Administration. Assign it the sn_odbc_rest_access or sn_jdbc_rest_access role. You can create multiple Service Accounts, each with different roles and security restrictions, to support different integrations or teams. By default, the SQL API checks access at the table, row, and field level for every query. You can turn them off by assigning the sn_sql_api_privileged_mode role to the service account.
    2 Create Access Control Lists (ACLs) for SQL API Configure table-level access using the egress_sql operation. For each table the Service Account needs to query, create two ACLs. Create one for egress_sql (SQL API data export) and one for read (record-level access). Repeat this for each table and each role combination.
    3 Create IP filter criteria Define which IP addresses or IP ranges are permitted to connect via the ODBC/JDBC driver. By default, all incoming IPs are blocked. Configure the SQL API Authentication Policy with an IP filter and policy condition. This allows access only from trusted client machines.

    What to expect

    After completing all three procedures, your Service Account will be able to connect to your ServiceNow instance via ODBC or JDBC and query the tables for which access has been granted.

    Keep the following in mind:

    • Multiple Service Accounts: You can create multiple Service Accounts with different roles and access control settings. This allows different BI tools or teams to have separate, independently managed access.
    • Table-level access via egress_sql: Access is not granted globally. Each table requires its own egress_sql and read ACL. A Service Account can only query tables for which both ACLs are explicitly configured.
    • Use Service Accounts: Personal user accounts are not supported. Reports and dashboards will break if the associated user loses access or leaves the organization. Service Accounts promote continuity.
    • Turn off MFA: Non-interactive (Machine) users cannot complete MFA challenges. Confirm that MFA is turned off for all SQL API Service Accounts.