Skip to main content

Integrate with ServiceNow

Follow this step-by-step guide to allow SlashID to monitor and protect your ServiceNow instance. This integration enables SlashID to track users, groups, group memberships, and access-request governance (catalog items, request approvals, and self-approval / access-before-approval violations) across your ServiceNow environment.

Before starting

Before starting, ensure you have:

  • Administrator (admin) privileges in your ServiceNow instance, or the ability to create a dedicated integration user and role.
  • The ability to grant read access to the sys_user and sys_user_group tables, plus sys_user_grmember for group memberships and the access-request tables (sc_request, sc_req_item) if you want access-governance detections.
  • Your instance URL (e.g. https://yourcompany.service-now.com).
IP allowlisting

If your endpoint or tenant restricts traffic by source IP, allow connections from SlashID's egress IPs published at https://cdn.slashid.com/egress.json. The list is global and stable; the syncToken field changes whenever the IPs change, so you can use it to detect drift.

The file follows the JAFAR draft format (A JSON-Based Format for Publishing IP Ranges of Automated HTTP Clients), the same convention major cloud providers use to publish their IP ranges.

Choose an authentication method

SlashID supports two authentication methods. Pick one:

  • Basic authentication — a dedicated integration user's username and password. Simplest to set up.
  • OAuth 2.0 — a registered OAuth application (client ID + client secret). Recommended when your security policy discourages storing passwords.

Step 1: Create a dedicated integration user

  1. In ServiceNow, go to User Administration → Users → New.
  2. Fill in a descriptive User ID (e.g. slashid.integration) and set Web service access only to true so the account cannot log in interactively.
  3. Set a strong password (basic auth) and click Submit.
tip

A dedicated, least-privilege integration user keeps the sync auditable and easy to revoke.

Step 2: Grant read access

Create a custom role (e.g. u_slashid_read) and grant it read access, then assign it to the integration user.

Required

The integration cannot run without read access to these tables.

TableWhat we sync
sys_userUsers (including department)
sys_user_groupGroups

The sync degrades gracefully without these, but they unlock membership modeling, role/access modeling, access-request governance, OAuth grant visibility, and object-level access mapping.

TableWhat we sync
sys_user_grmemberGroup memberships — strongly recommended; without it users and groups sync but membership edges are missing
sys_user_role / sys_user_has_role / sys_group_has_role / sys_role_containsRoles and role assignments — what users and groups can actually access
sc_request / sc_req_itemAccess-request tickets
sc_cat_itemCatalog items
sysapproval_approverRequest approvals (self-approval, missing-approver, access-before-approval detections)
oauth_entity / oauth_credentialRegistered OAuth applications and the token grants issued to users
sys_security_acl / sys_security_acl_roleTable ACLs — which roles can read/write/delete which tables (usually requires security_admin read access)
note

SlashID only issues read-only queries against these tables. No records are created, updated, or deleted.

Step 3 (OAuth only): Register an OAuth application

Skip this step if you are using basic authentication.

  1. Go to System OAuth → Application Registry → New → Create an OAuth API endpoint for external clients.
  2. Fill in a Name (e.g. SlashID Identity Protection) and note the generated Client ID and Client Secret.
  3. Click Submit.
danger

Store the client secret securely — ServiceNow only displays it once. You will paste it into the SlashID Console in the next step.

note

ServiceNow issues OAuth tokens to integrations via the password grant: the token request combines the client ID/secret with the integration user's username and password. You therefore still need the integration user from Step 1 even when using OAuth — enter its credentials in the OAuth form fields in the SlashID Console.

Step 4: Create your ServiceNow ↔ SlashID Integration

Open the SlashID Console integrations page and create a new ServiceNow connection.

SlashID Console fieldDescriptionExample
Name of the connectionArbitrary name for this connectionServiceNow Production
Authoritative statusWhether ServiceNow identities are the primary source of truth when reconciling identities across providersPrimary or Secondary
Instance URLYour ServiceNow instance URLhttps://yourcompany.service-now.com
Authentication methodBasic or OAuth 2.0Basic
Username(Basic) The integration user's User IDslashid.integration
Password(Basic) The integration user's password
Client ID(OAuth) The OAuth application's client IDa1b2c3...
Client secret(OAuth) The OAuth application's client secret
Integration user username(OAuth) The integration user's User ID — required for ServiceNow's OAuth password grantslashid.integration
Integration user password(OAuth) The integration user's password

Optional: scope the governance sync

Three optional settings bound how much access-request data each sync pulls. On a mature instance the request and approval tables can hold millions of rows, so scoping them keeps syncs fast and focused on the tickets you care about.

SettingWhat it doesExample
Category filtersOnly sync access requests whose catalog item belongs to one of these categories. Useful when only a subset of your ServiceNow catalog represents access (as opposed to hardware, facilities, etc.).Access Management, IAM
Lookback daysHow far back to fetch requests, request items, and approvals on a full sync. Defaults to 90 days; incremental syncs only fetch changes since the last successful sync regardless of this value.90
Query filterAn advanced escape hatch: a raw ServiceNow sysparm_query string that replaces the generated request filters entirely. Use only if the category and lookback filters can't express what you need.cat_item.category.name=IAM^opened_at>=2026-01-01
note

These settings scope the access-request/governance data only — users, groups, memberships, roles, and OAuth grants are always synced in full so the identity graph stays complete.

Verification

Once connected, SlashID runs a preflight check that validates your credentials and confirms read access to the required tables. After the first sync completes you will see:

  • ServiceNow users and groups in the Identities view (under the NHI tab).
  • Group memberships as relationships in the identity graph.
  • If the access-request tables are readable: catalog items and access requests as resources, plus access-governance detections (Self-Approval, Missing Approver, Access Before Approval, Stale Approved Access).

Troubleshooting

401 Unauthorized / authentication failed : The username/password or OAuth client credentials are incorrect, or the integration user is locked. Verify the credentials and that the account is active. For OAuth, confirm the client ID and secret match the Application Registry entry.

403 Forbidden / permission errors on a table : The integration user's role is missing read access to that table. Grant read ACL on sys_user and sys_user_group (required), on sys_user_grmember for group memberships, and on the sc_request / sc_req_item / sysapproval_approver tables for access-governance data. The preflight check reports exactly which table failed.

Access-request detections not appearing : These require read access to the access-request and approval tables. Confirm the optional tables in Step 2 are readable — the sync degrades gracefully and will still sync users and groups without them.