Minimum privileges required for ServiceNow integration

This article outlines the minimum privileges required to set up and use the ServiceNow integration effectively.

Table of Contents

Privileges required for an admin 

The admin is responsible for configuring the instance for agents. These are administrative privileges and should not be assigned to regular agents.

RolePurpose

sn_openframe_admin

Grants access to the OpenFrame Configurations module where you can create, update, and manage OpenFrame configurations

admin

If the sn_openframe_admin role is not explicitly assigned, the admin role provides access to all configuration modules, including OpenFrame

Privileges required for an agent

RolePurposeNotes

sn_openframe_user

  • Provides access to the OpenFrame widget and CTI integrations
  • Required for using communication tools integrated into the workspace
 
workspace_userGrants general access to workspaces 
sn_customerservice_agent
  • Grants access to Customer Service Management functionality
  • Allows working with cases, accounts, contacts, and related records
  • Grants access to:
    • Customer accountscustomer_account
    • Contacts customer_contact
    • Consumer records csm_consumer
    • Case management sn_customerservice_case
either this or ITIL role must be added in order to access respective workspaces 
sn_customerservice.consumer_agent
  • Enables agents to work with consumers within the CSM module
  • View, create, and update individual consumer profiles stored in the csm_consumer table
requires user_admin role or ACL to create/update consumer records

itil

  • Required if agents need to interact with ITSM records like incidents or changes within the CSM Workspace
  • To provide access to Service Operations Workspace
 
user_adminGrants full permissions to manage user records (create, read, update, delete) and manage user rolesagent can not create/update sys_user/contact/consumer records without this role
customer_contact_managerProvides full CRUD (create, read, update, delete) access to the customer_contact table 
x_zvmi_zcc_int.zcc_phone_log_user
  • Provides full CRUD (create, read, update, delete) access to the PhoneCallLog data in tablex_zvmi_zcc_int_phone_log 
  • This role contains other set of roles as listed below: 
    • workspace_user
    • sn_openframe_user
 

Different use cases and required roles/privileges

Use caseOperationACL RequirementRole(s) required
Get a sys_user recordReadRequires ACL with read permissionsnc_internalor custom role with ACL on sys_user table 
Update a sys_user recordWriteRequires ACL with write permissionuser_admin, or custom role with ACL on sys_user table 
Create a sys_user recordCreateRequires ACL with create permissionuser_admin, or custom role with ACL on sys_user table 
Delete a sys_user recordDeleteRequires ACL with delete permissionadmin, user_adminor custom role with ACL on sys_user table
Get a customer_contact recordReadRequires ACL with read permissionsn_customerservice_agent, csm_ws_integration, or custom role with ACL on customer_contact table
Update a customer_contact  recordWriteRequires ACL with write permissionuser_admin, customer_contact_manager, csm_ws_integration or custom role with ACL on customer_contact table
Create a customer_contact  recordCreateRequires ACL with create permissionuser_admin, customer_contact_manager, csm_ws_integrationor custom role with ACL on customer_contact table
Delete a customer_contact  recordDeleteRequires ACL with delete permissionuser_admin, customer_contact_manager, csm_ws_integration or custom role with ACL on customer_contact table 
Interaction records Requires ACL with read, write, create permission on a custom rolesn_customerservice_agent (for agents in CSM), 
itil (for agents in ITSM)
sn_customerservice_case record Requires ACL with read, write, create permission on a custom rolesn_customerservice_agent
incident record Requires ACL with read, write, create permission on a custom roleitil
OpenFrame window accessView sn_openframe_user, sn_customerservice_agent (if openframe used in CSM env), sn_customerservice.consumer_agent, itil (if openframe used in ITSM env)
Creating OpenFrame configurationCreate admin, sn_openframe_admin (if available on the instance)
Read Phone Call log dataReadRequires ACL with read, write, create permission on a custom rolex_zvmi_zcc_int.zcc_phone_log_user 
Update Phone Call log dataWriteRequires ACL with read, write, create permission on a custom rolex_zvmi_zcc_int.zcc_phone_log_user 
Create Phone Call log dataCreateRequires ACL with read, write, create permission on a custom rolex_zvmi_zcc_int.zcc_phone_log_user 
Delete Phone Call log dataDeleteRequires ACL with read, write, create permission on a custom rolex_zvmi_zcc_int.zcc_phone_log_user 

How to customize Access Control Rules (ACLs)

To prevent granting excessive permissions, adjust the following ACLs to provide specific table access where roles alone are insufficient:

  • sys_user Table:
    • Allow the user_admin role to manage user records.
    • If only limited access is required, create a custom ACL to grant create/update permissions while restricting delete access.
  • customer_contact Table:
    • By default, customer_contact_manager can delete records. If this is not required, modify the Delete ACL to exclude this role or replace it with a custom role (e.g., customer_contact_editor).
  • csm_consumer Table:
    • Ensure the sn_customerservice_agent role has appropriate CRUD permissions to manage consumer records.

How to create custom roles for agents

If customer wants agents to access these tables without assigning broad roles like itil or sn_customerservice_agent, they can create a custom role and configure ACL rules for each table.

  1. Create a new role:
    • Navigate to System Security then Roles.
    • Create a new role, for example, zcc_agent_access.
  2. Update ACLs for the Tables:
    • Go to System Security then Access Control (ACL).
    • Search for ACL rules in the following tables:
      • Interaction (interaction)
      • Case (sn_customerservice_case)
      • Incident (incident)
    • Add the custom role (zcc_agent_access) to the Requires Role list for create, read, and write operations.
  3. Assign the role to agents:
    • Assign the custom role to the users or groups who need access.