Please use docs.servicenow.com for the latest documentation.

This site is for reference purposes only and may not be accurate for the latest ServiceNow version

Non-Interactive Sessions

From Wiki Archive
Jump to: navigation, search


Overview

The Non-Interactive Sessions plugin creates a distinction between interactive and non-interactive users.

  • Interactive users can log in to the ServiceNow UI and can use their credentials for SOAP connections if allowed by strict security. They can use their credentials for other API connections such as WSDL, JSON, XML, or XSD without restriction.
  • Non-interactive users can only use their credentials to authorize API connections such as JSON, SOAP, and WSDL. They cannot log in to the ServiceNow UI. The strict security high security setting determines if non-interactive users are subject to Contextual Security requirements.

Distinguishing between interactive and non-interactive users increases instance security by ensuring that users conform to the principle of least privilege.

This feature is available with the Calgary release.

Requiring Authentication

You can specify whether non-interactive connections require authentication from the High Security Settings module. A non-interactive connection bypasses the UI to connect to the instance at an API level. Typically, non-interactive connections use set protocols such as JSON, SOAP, XSD, or WSDL. By default, all non-interactive connections require authentication.

  1. Login with an administrator user with the security_admin role.
  2. Elevate your privileges to use security_admin.
  3. Navigate to System Security > High Security Settings.
  4. Select the matching "Requires authorization" option for the protocol you want to set. For example, Requires authorization for incoming SOAP requests.
  5. Select the checkbox to require authentication for the non-interactive connection method. Clear the checkbox to allow the non-interactive connection method to connect without providing any credentials.
Note
Note: Activating the Non-Interactive Sessions plugin on an existing system may prevent any existing users that authorize SOAP and WSDL-based integrations from logging in unless they already have the soap role. See Updating Web Service User Accounts for Strict Security to manually update existing integration users.


Activating the Plugin

The Non-Interactive Sessions plugin is active by default as of the Calgary release. For instances that upgrade to Calgary, request the plugin.

Creating Interactive Users

Interactive users have the following access rights. They can:

  • Use their user name and password to log in to the UI or a content management system (CMS) portal.
  • Connect to an instance from a URL that calls a UI page, form, or list (for example, https://<instance name>.service-now.com/incident.do).
  • Connect with single sign-on (for example, digest authentication or SAML).
  • Use their credentials to authorize SOAP connections if allowed by strict security.
  • Use their credentials to authorize any other type of API connection without restriction.

When you activate the Non-Interactive Sessions plugin all existing users automatically become interactive users. New users default to interactive users unless you manually make them non-interactive. Use the following steps to manually switch a non-interactive user back to an interactive user.

  1. Navigate to User Administration > Users.
  2. Search for the user you want to update. For example, System Administrator.
  3. Clear the Web Service Access Only check box.
  4. Click Update.

Creating Non-Interactive Users

Non-interactive users can only connect to ServiceNow from an API protocol. They cannot:

  • Use their user name and password to log in to the UI or a content management system (CMS) portal.
  • Connect to an instance from a URL that calls a UI page, form, or list (for example, https://<instance name>.service-now.com/incident.do).
  • Connect with single sign-on (for example, digest authentication or SAML).
  • Be used as the MID Server user.

After installing the Non-Interactive Sessions plugin, consider updating your existing web service user accounts to be non-interactive users.

  1. Navigate to User Administration > Users.
  2. Search for the user to be updated. For example, SOAP user.
  3. Select the Web Service Access Only check box.
  4. Click Update.
Note
Note: ServiceNow always uses any user name and password credentials supplied with a request even if the High Security Settings do not require authorization for a given API protocol. For example, if a SOAP request supplies a user name and password, the instance verifies those credentials even if SOAP requests do not require authorization. To avoid verifying user credentials, the request must not include them.


Updating Web Service User Accounts for Strict Security

If your instance requires strict security, add the soap role to any user accounts used for web services.

  1. Navigate to User Administration > Users.
  2. Select a web service user from the list.
  3. From the Roles related list, click Edit.
  4. Add soap to the Roles List.
  5. Click Save.
  6. Click Update.


Installed with the Plugin

The Non-Interactive Sessions plugin installs the following changes.

  • Adds a column Web Service Access Only [web_service_access_only] to the User [sys_user] table.
  • Changes all existing users to be interactive users (web_service_access_only=false).
  • Updates the User form to display the Web Service Access Only [web_service_access_only] field by default.