Integrate with ServiceNow
Follow this step-by-step guide to allow SlashID to monitor and protect your ServiceNow instance. This integration enables SlashID to track users, groups, group memberships, and access-request governance (catalog items, request approvals, and self-approval / access-before-approval violations) across your ServiceNow environment.
Before starting
Before starting, ensure you have:
- Administrator (
admin) privileges in your ServiceNow instance, or the ability to create a dedicated integration user and role. - The ability to grant read access to the
sys_userandsys_user_grouptables, plussys_user_grmemberfor group memberships and the access-request tables (sc_request,sc_req_item) if you want access-governance detections. - Your instance URL (e.g.
https://yourcompany.service-now.com).
If your endpoint or tenant restricts traffic by source IP, allow connections from SlashID's egress IPs published at https://cdn.slashid.com/egress.json. The list is global and stable; the syncToken field changes whenever the IPs change, so you can use it to detect drift.
The file follows the JAFAR draft format (A JSON-Based Format for Publishing IP Ranges of Automated HTTP Clients), the same convention major cloud providers use to publish their IP ranges.
Choose an authentication method
SlashID supports two authentication methods. Pick one:
- Basic authentication — a dedicated integration user's username and password. Simplest to set up.
- OAuth 2.0 — a registered OAuth application (client ID + client secret). Recommended when your security policy discourages storing passwords.
Step 1: Create a dedicated integration user
- In ServiceNow, go to User Administration → Users → New.
- Fill in a descriptive User ID (e.g.
slashid.integration) and set Web service access only totrueso the account cannot log in interactively. - Set a strong password (basic auth) and click Submit.
A dedicated, least-privilege integration user keeps the sync auditable and easy to revoke.
Step 2: Grant read access
Create a custom role (e.g. u_slashid_read) and grant it read access, then assign it to the integration user.
Required
The integration cannot run without read access to these tables.
| Table | What we sync |
|---|---|
sys_user | Users (including department) |
sys_user_group | Groups |
Recommended
The sync degrades gracefully without these, but they unlock membership modeling, role/access modeling, access-request governance, OAuth grant visibility, and object-level access mapping.
| Table | What we sync |
|---|---|
sys_user_grmember | Group memberships — strongly recommended; without it users and groups sync but membership edges are missing |
sys_user_role / sys_user_has_role / sys_group_has_role / sys_role_contains | Roles and role assignments — what users and groups can actually access |
sc_request / sc_req_item | Access-request tickets |
sc_cat_item | Catalog items |
sysapproval_approver | Request approvals (self-approval, missing-approver, access-before-approval detections) |
oauth_entity / oauth_credential | Registered OAuth applications and the token grants issued to users |
sys_security_acl / sys_security_acl_role | Table ACLs — which roles can read/write/delete which tables (usually requires security_admin read access) |
SlashID only issues read-only queries against these tables. No records are created, updated, or deleted.
Step 3 (OAuth only): Register an OAuth application
Skip this step if you are using basic authentication.
- Go to System OAuth → Application Registry → New → Create an OAuth API endpoint for external clients.
- Fill in a Name (e.g.
SlashID Identity Protection) and note the generated Client ID and Client Secret. - Click Submit.
Store the client secret securely — ServiceNow only displays it once. You will paste it into the SlashID Console in the next step.
ServiceNow issues OAuth tokens to integrations via the password grant: the token request combines the client ID/secret with the integration user's username and password. You therefore still need the integration user from Step 1 even when using OAuth — enter its credentials in the OAuth form fields in the SlashID Console.
Step 4: Create your ServiceNow ↔ SlashID Integration
Open the SlashID Console integrations page and create a new ServiceNow connection.
| SlashID Console field | Description | Example |
|---|---|---|
| Name of the connection | Arbitrary name for this connection | ServiceNow Production |
| Authoritative status | Whether ServiceNow identities are the primary source of truth when reconciling identities across providers | Primary or Secondary |
| Instance URL | Your ServiceNow instance URL | https://yourcompany.service-now.com |
| Authentication method | Basic or OAuth 2.0 | Basic |
| Username | (Basic) The integration user's User ID | slashid.integration |
| Password | (Basic) The integration user's password | — |
| Client ID | (OAuth) The OAuth application's client ID | a1b2c3... |
| Client secret | (OAuth) The OAuth application's client secret | — |
| Integration user username | (OAuth) The integration user's User ID — required for ServiceNow's OAuth password grant | slashid.integration |
| Integration user password | (OAuth) The integration user's password | — |
Optional: scope the governance sync
Three optional settings bound how much access-request data each sync pulls. On a mature instance the request and approval tables can hold millions of rows, so scoping them keeps syncs fast and focused on the tickets you care about.
| Setting | What it does | Example |
|---|---|---|
| Category filters | Only sync access requests whose catalog item belongs to one of these categories. Useful when only a subset of your ServiceNow catalog represents access (as opposed to hardware, facilities, etc.). | Access Management, IAM |
| Lookback days | How far back to fetch requests, request items, and approvals on a full sync. Defaults to 90 days; incremental syncs only fetch changes since the last successful sync regardless of this value. | 90 |
| Query filter | An advanced escape hatch: a raw ServiceNow sysparm_query string that replaces the generated request filters entirely. Use only if the category and lookback filters can't express what you need. | cat_item.category.name=IAM^opened_at>=2026-01-01 |
These settings scope the access-request/governance data only — users, groups, memberships, roles, and OAuth grants are always synced in full so the identity graph stays complete.
Verification
Once connected, SlashID runs a preflight check that validates your credentials and confirms read access to the required tables. After the first sync completes you will see:
- ServiceNow users and groups in the Identities view (under the NHI tab).
- Group memberships as relationships in the identity graph.
- If the access-request tables are readable: catalog items and access requests as resources, plus access-governance detections (Self-Approval, Missing Approver, Access Before Approval, Stale Approved Access).
Troubleshooting
401 Unauthorized / authentication failed
: The username/password or OAuth client credentials are incorrect, or the integration user is locked. Verify the credentials and that the account is active. For OAuth, confirm the client ID and secret match the Application Registry entry.
403 Forbidden / permission errors on a table
: The integration user's role is missing read access to that table. Grant read ACL on sys_user and sys_user_group (required), on sys_user_grmember for group memberships, and on the sc_request / sc_req_item / sysapproval_approver tables for access-governance data. The preflight check reports exactly which table failed.
Access-request detections not appearing : These require read access to the access-request and approval tables. Confirm the optional tables in Step 2 are readable — the sync degrades gracefully and will still sync users and groups without them.