Setting Up ServiceNow Scopes and Roles for Non-Admin Integrations

Last updated: April 2, 2026

This guide explains the minimum roles and Access Control Lists (ACLs) a user needs in ServiceNow to allow your integration (such as Merge) to read and write data through the ServiceNow REST API.

Using these scoped permissions ensures least-privilege access while maintaining full compatibility with core ITSM and CSM functionality.

Overview

ServiceNow uses roles and ACLs to control who can read, create, and update data.

By default, only admins can query system and Customer Service Management (CSM) tables. To integrate using a non-admin user, you must explicitly grant table-level permissions for the data your integration will access.

Create a Custom Role

  1. Navigate to All → User Administration → Roles → New

  2. Fill out:

    • Name/Suffix: integration_role (or any custom name)

    • Description: Custom role for non-admin API access

  3. Click Save

You’ll see a generated name like:

x_<instance_prefix>_integration_role

This role will be used in all ACLs and assigned to your integration user.

Create a Non-Admin Integration User

If the integration user doesn’t exist yet:

  1. Go to All → User Administration → Users → New

  2. Fill out:

    • User ID: integration_user

    • Active:

    • (Optional) Web service access only: enables API-only access

    • (Optional) First name / Last name / Email: recommended

  3. Click Set Password to assign a local password (required for Basic Auth)

  4. Make sure Password needs reset is unchecked

  5. Click Save

Assign the Role to the User

  1. Open your integration user record

  2. Scroll to Roles → Edit

Screenshot 2025-10-07 at 5.52.27 PM.png

  1. Search for and add the role you created:

    • x_<instance_prefix>_integration_role

  2. (Optional) If your integration also needs ITSM data like Incidents or Tasks, add:

    • itil

    • snc_platform_rest_api_access

  3. Click Save.

Your user now has a scoped role that will be used for ACL permissions.

Create Custom ACLs (Access Control Rules)

Before creating a Custom ACL, make sure your role is allowed to add Custom ACLs. This can be manually done by Elevating role and enabling the security_admin role for the user:

Screenshot 2025-10-07 at 6.16.53 PM.pngScreenshot 2025-10-07 at 6.20.09 PM.png

ServiceNow ACLs define which roles can perform actions on which tables or fields.

You must create one ACL per table (or field) and per operation type (read, write, create).

Go to:
All → System Security → Access Control (ACL) → New

Screenshot 2025-10-07 at 6.20.51 PM.png

Fill out these fields:

Field

Value

Type

record

Operation

read (or write, create, as needed)

Name

Table name (e.g. sys_user)

Requires role

Your custom role (e.g. x_<instance_prefix>_merge_test_integration)

Screenshot 2025-10-07 at 6.21.44 PM.pngScreenshot 2025-10-07 at 6.24.09 PM.png

Click Submit.

Repeat this for every table you need access to.

Add ACLs for Each Required Scope

Each ServiceNow “scope” (table) must have its own ACL.
Below is a complete list of common API endpoints, what they do, and what role or ACL grants access.

Core systems table

Table

Required role

ACL Description

/now/table/sys_user

Custom ACL for sys_user (read)

User records (needed for user lookups like opened_by, assigned_to)

/now/table/sys_dictionary

personalize_dictionary or custom ACL

Field and schema metadata

/now/table/sys_choice

personalize_choices or custom ACL

Dropdown / picklist values

/now/table/sys_db_object

Custom ACL for sys_db_object (read)

Database table metadata

/now/table/sys_attachment

itil or custom ACL (read, create)

File attachments on records

/now/table/sys_journal_field

itil or custom ACL (read, create)

Comments and work notes

Customer service management

Table

Required role

ACL description

/now/table/csm_consumer

sn_customerservice_agent or custom ACL (read, write)

Customer/consumer records

/now/table/sn_customerservice_case

sn_customerservice_agent or custom ACL

Customer Service cases

ITSM and Task management

Table

Required role

ACL description

/now/table/task, /incident, /problem, /sc_task, /sc_request

itil

Incident, problem, and request records

Additional Scopes to Include in Custom ACLs

These system tables are frequently queried by integrations. Add read ACLs for your custom role to prevent 403 errors.

Table

What it represents

Why it's needed

Grants access to

sys_user

User directory

Needed for user lookups

/now/table/sys_user

sys_dictionary

Field definitions

Needed for metadata and schema introspection

/now/table/sys_dictionary

sys_choice

Choice-list values

Needed for dropdown and picklist labels

/now/table/sys_choice

sys_db_object

Table registry

Needed to enumerate available tables

/now/table/sys_db_object

sys_attachment

File attachments

Needed to read or upload attachments

/now/table/sys_attachment

sys_journal_field

Comments / work notes

Needed to read or post ticket comments

/now/table/sys_journal_field

csm_consumer

Customer/consumer records

Needed to link CSM cases to users

/now/table/csm_consumer

User and Role Data

To minimize privilege, use your custom integration role with targeted read ACLs for user-related tables.

Table

Purpose

Required role / ACL

/now/table/sys_user

User records

user_admin or custom read ACL

/now/table/sys_user_has_role

Role assignments

security_admin or custom read ACL

/now/table/sys_user_group

User groups (Teams)

user_admin or custom read ACL

/now/table/sys_user_sysgrmember

Group memberships

user_admin or custom read ACL

/now/table/sys_db_object

Table metadata

Custom read ACL (admin-only by default)

Tickets (Tasks, Incidents, Requests, Problems, Cases)

The itil role grants full CRUD access to ITSM “task” tables, including incidents, problems, and catalog tasks.

If integrating with CSM, add sn_customerservice_agent.

Table

Purpose

Required role / ACL

/now/table/task

Base task table

itil

/now/table/incident

Incident management

itil

/now/table/problem

Problem management

itil

/now/table/sc_request

Service catalog requests

itil or catalog_read

/now/table/sc_task

Service catalog tasks

itil or catalog_task

/now/table/sn_customerservice_case

CSM cases

sn_customerservice_agent

Comments (Journal Fields)

Journal fields (comments, work notes) inherit ACLs from their parent record.

If your integration can read/write incidents or tasks, it can usually access related journal fields automatically.

Table

Purpose

Required role / ACL

/now/table/sys_journal_field

Comments, work notes, and activity logs

itil or custom ACL

Attachments

Attachments inherit permissions from their parent record.
Your integration user must have read access to one of the parent tables (e.g., incident, task, sn_customerservice_case).

Table

Purpose

Required role / ACL

/now/table/sys_attachment

Attachment metadata

admin, itil, sn_customerservice_agent, or custom ACL

Writing Tickets (POST Access)

To create new tickets via the Table API (POST /api/now/table/<table_name>), your user must have create ACLs or roles granting write access.

Table

Purpose

Required role

/now/table/incident

Create incidents

itil

/now/table/problem

Create problems

itil

/now/table/task

Create generic tasks

itil

/now/table/sc_task

Create catalog tasks

itil

/now/table/sc_request

Create service requests

itil or catalog_admin

/now/table/sn_customerservice_case

Create customer cases

sn_customerservice_agent