On Slack someone asked me to post about service accounts.
Could anyone define some advantages of using a service account rather than a user account when it comes to integrations?
There was a three pros right away;
- Doesn't depend on user being employed
- Generally can be excused from password reset policies
- Granular permissions
How one is made
Check the "Web Services Access Only" on the user account. It's part of the Non-Interactive Session Plugin.
Now this is where this post was going to end. I had gone into how I do service accounts.
How I manage them
- Create a group called "ServiceNow Service Accounts"
- We have a process in place when someone wants to be added to a group they submit and item. It has an approval to the manager. If Approved a script adds them to the group. Otherwise they don't get added.
- Once added to the group the roles attached,
itil
, andrest_api_explorer
are given. You could add other older roles like the SOAP roles but we encourage REST. - Let the owner of the service account figure out their calls.
- Once those calls are sorted. Remove gui access.
We use SSO so user's can't use their personal account to do the REST calls outside of the browser. We make the new user have a manager of the person who is asking for the service account. If the service account needs more access, we can add it to other groups where the access is proper. I do intend to write up something or link to something to help convey what the APIs are they have access to but generally I point them to the Rest API Explorer
Further Reading: https://community.servicenow.com/community?id=community_blog&sys_id=b4fca2a5dbd0dbc01dcaf3231f961900