Explore ServiceNow access control

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Explore ServiceNow Access Control

    The SNC Access Control plugin (com.snc.sncaccesscontrol) enables ServiceNow customers to precisely control and restrict which Customer Service and Support employees can access their instance and when. Upon activation, no Customer Service and Support employees can log in until explicitly granted access through records in the SNC Access Control table. This helps ensure enhanced security by requiring express permission for support personnel access while allowing authorized ServiceNow Operations staff to perform necessary administrative functions on infrastructure components with full audit tracking.

    Show full answer Show less

    Key Features

    • Granular Access Control: Define exactly which support employees can access your instance and the allowed time windows using plugin-managed access records.
    • Secure Login Process: Utilizes encrypted tokens generated by a secure, locked-down Linux security server accessible only by ServiceNow security personnel. Tokens authenticate users without requiring permanent user accounts on the instance.
    • Synthetic User Model: Creates temporary in-memory synthetic users for support employees during their session, eliminating permanent credentials or user records on the instance.
    • Token Expiration: Security tokens expire after four hours, limiting the risk of token misuse.
    • Comprehensive Logging: All support employee logins and activities are logged both in event logs and transaction logs for robust auditing. Actions by support users are clearly identifiable by user names ending with @snc.
    • Security Processing Flow: The login request flows through hi.service-now.com and the Security Server which validates user roles, IP addresses, and access permissions before issuing encrypted login tokens.

    Key Outcomes

    • Enhanced Security: Prevent unauthorized support personnel access, protecting your instance from unwanted modifications or breaches.
    • Controlled Support Access: Explicitly approve support technician access, aligning with your organization's security policies and compliance requirements.
    • Auditable Support Activities: Maintain detailed logs of all support user session activities, enabling transparency and accountability.
    • Impact on Support SLAs: Be aware that restricting support access may affect support service levels and the Availability SLA, which starts measuring from when support personnel are granted access.

    The SNC Access Control plugin (com.snc.snc_access_control) enables you to control which Customer Service and Support employees can access your instance, and when.

    When you first activate the plugin, Customer Service and Support employees cannot log into the instance. Any currently logged-in Customer Service and Support employees remain logged in. You create records in the SNC Access Control table that grant access to specific SNC employees or all employees.

    The plugin prevents Customer Service and Support personnel from accessing the instances without your express permission. However, other authorized ServiceNow Operations personnel, in their capacity to support and manage the product, and verify usage are required to perform administrative actions on the underlying infrastructure. This infrastructure includes servers and databases, among other infrastructure components that make up the SaaS solution. This access method is fully auditable and tracked.

    This plugin enables you to restrict access to your instance without your express permission, so it may affect support service levels and the Availability SLA. Availability SLA is then measured from the time that Support staff personnel are granted access to your instance.

    Login security

    Security for authorized Customer Service and Support employee logins to instances employs encrypted tokens generated by a secure server. Only properly authenticated Customer Service and Support employees are granted access to an instance. Without the SNC Access Control plugin, the security server ensures that access rights are enforced on hi.service-now.com. When the plugin is enabled, the encrypted login tokens must match names in the plugin-provided access list, using the criteria defined in those records. This method of authentication enables you to determine precisely which Customer Service and Support employees may access their instances, and when these employees may do so.

    The architecture chosen for this system has several features designed to enhance security for your instances:
    Security server
    The security server is a locked-down, Linux host that only ServiceNow security personnel can access. This server is the only system that has access to the critical private encryption key necessary to produce the login tokens. By using this compartmentalization (a standard security practice), the private key is protected, even in the unlikely event that an attacker compromises the HI instance.
    Synthetic user
    The facility on instances that enables authorized Customer Service and Support employees to log into their instance does not require an account to be provisioned on that instance. There is no user record provisioned, and no permanent or persisted credentials. Instead, a synthetic user is created for each Customer Service and Support employee logon. This user exists only in memory and provides no ongoing privileges. If the SNC Access Control plugin is enabled, you can deauthorize any Customer Service and Support employee at any time.
    Tokens
    The security tokens are specific to an instance and a particular Customer Service and Support employee. In addition, the mechanism that generates the tokens only works with actual Customer Service and Support employee logins to HI, not impersonated users. Once a security token is generated, only a specific Customer Service and Support employee can use it to log into an instance.
    Time limit
    Security tokens expire four hours after they are generated. This expiration limits the utility of hijacked tokens, which can only be used during this short window.
    Logging
    Logins by Customer Service and Support employees to instances are recorded as a login event.
    • Every action taken by the logged-in Customer Service and Support employee is added to the transaction log in the database.
    • It is also added to the instance log on the file system, which is inaccessible to most ServiceNow employees.
    • Customer Service and Support employee logins and actions are readily identifiable, since the user names all end in @snc (like frodo.baggins@snc).

    These actions provide you with easy-to-use, robust, and reliable security logging for non-employee access.

    Security processing flow

    When a Customer Service and Support employee wants to log into an instance, the security processing flow is as follows:

    1. A Customer Service and Support technician requests a login for the instance through hi.service-now.com.
    2. HI checks that the technician has the proper role authorizing access to instances.
    3. If the user has the proper role, HI sends the request for access to the Security Server.
    4. The Security Server verifies that the request came from the HI IP address, and evaluates the request (user, role, and IP address of the requester). If the request is valid, the Security Server approves it and constructs a token. This token contains the user name, roles, the instance ID, and the time (the start of the 4-hour token life span). Finally, the Security Server encrypts the token with the private encryption key.
    5. The Security Server sends the encrypted token to HI.
    6. Hi sends the token to the Support technician's browser.
    7. The Support technician's browser initiates a login into the instance, using the special user name ending with @snc.
    8. The instance uses the public key to decrypt the token. To verify the token, the instance matches it to the user name supplied in the previous step, the instance ID, and the authorized time window. If the SNC Access Control plugin is enabled, the instance verifies that the user is:
      • Listed
      • Active
      • Configured to access the instance in the current time window
    9. If the user is authenticated, the instance creates a synthetic user in memory with the given roles. This user does not persist after the time limit expires, the user logs off, or the instance is restarted.
    Figure 1. ServiceNow security access process flow
    ServiceNow security access process flow

    Audit logging

    The following logging tracks logins and activity by Customer Service and Support employees:
    • Event logs: The event logs show all Customer Service and Support logins to an instance.
    • Transaction logs: The transaction logs show all activity on the instance, including any efforts to delete logs.
    Note:
    To learn more about this plugin, see Enable SNC access control plugin [Updated in Security Center 1.3] in Instance Security Hardening Settings.