ServiceNow best practices for managing accounts

Best practices on managing service accounts (non-human accounts)

Why Use Service Accounts Instead of Personal Accounts

According to ServiceNow's best practices:

• Service accounts are user accounts created specifically for integrations and automated tasks.
• They should be restricted to API access only (e.g., REST, SOAP, JSON, WSDL).
• Avoid using personal user accounts for integrations to:
• Improve security (least privilege principle)
• Enhance auditability (clear traceability in logs)
• Simplify troubleshooting (distinct activity tracking)

How to Set Up a Service Account in ServiceNow

• Create a dedicated user in the User table for each integration
• Use a clear naming convention to identify the integration purpose
• Enable the “Web service access only” checkbox to restrict UI login
• Assign only the necessary roles (e.g., rest_service, soap, itil) based on the integration's needs
• Be aware of the glide.soap.strict_security property, which enforces role-based access for SOAP integrations

Additional Tips

• One account per integration is ideal for clarity and control
• Regularly review and rotate credentials
• Monitor service account activity via Created by / Updated by fields in logs
• Avoid over-privileging service accounts - grant only what’s needed

Sources:

• User account or service account? What to use for web service tasks
• How to create Non Human User in ServiceNow
• Ten (10) Crucial Best Practices for Managing Users and Groups in ServiceNow
• ServiceNow Seven Best Practices for User and Group Management: A Guide for Platform Administrators
• How to Manage and Secure Service Accounts: Best Practices
• Best Practice for Notating a Service Account
• Creation and use of Service Account in servicenow.
• Account management practices

Is it recommended to assign the admin role to a service account?

No, it is not recommended to assign the admin role directly to a service account in ServiceNow; instead, you should assign the role to a group and then add the service account to that group. Best practices involve adhering to the principle of least privilege, granting only necessary access for the account's function, using specific roles like catalog_admin or report_admin instead of the all-powerful admin role when possible, and managing roles through groups for consistency and easier administration. 

Reasons not to assign the admin role directly to a service account:

• Security and Least Privilege: The admin role provides extensive permissions to bypass most Access Control Lists (ACLs), which poses a significant security risk if the account is compromised
• Auditing and Compliance: Separating admin access from a primary user account makes it easier to track the activities performed by the admin capability, supporting compliance and separation of duties
• Consistency and Management: Assigning roles through groups ensures that role assignments are consistent across the platform and simplifies the process of adding or removing functionality
• Licensing: Assigning roles to groups is also a more cost-effective approach to managing user licenses

Recommended Approach: 

1. Create a Group: Create a dedicated group (e.g., "Integration Administrators")
2. Assign the Role to the Group: Assign the necessary administrative roles to this new group
3. Add the Service Account to the Group: Add the service account to the group, allowing it to inherit the required roles and permissions

Alternatives to the Admin Role:

• Application-Specific Roles: If the service account is for a specific application (e.g., Service Catalog, Reporting), assign the more granular administrative roles available for those applications, such as catalog_admin or report_admin
• Web Service Access: For integration accounts, ensure the "Web service access only" checkbox is enabled on the user record to prevent UI logins

Best practices on managing admin accounts

1. Use the Out-of-the-Box Admin Account Cautiously

• The default System Administrator account has special privileges not available to other users, even those with the admin role
• Do not delete this account - it’s foundational and required for certain system processes
• If locked out, reactivation must be done via Now Support, not locally
  

2. Enforce Strong Password Policies

• For local admin accounts, enforce a minimum 12-character password with a mix of digits, symbols, and upper/lowercase letters
• Consider enabling multi-factor authentication (MFA) for all admin-level users

 3. Avoid Shared Admin Accounts

• Assign named admin accounts to individuals for accountability and auditability
• Avoid using shared credentials - this hinders traceability and violates security best practices

4. Apply the Principle of Least Privilege

• Only grant the admin role to users who absolutely need it
• For specific tasks, consider creating custom roles with limited permissions instead of giving full admin access

5. Monitor and Audit Admin Activity

• Regularly review:
• Who has the admin role
• What changes are being made
• Login activity and anomalies
• Use audit logs and reporting tools to track admin actions

6. Rotate and Review Access Periodically

• Conduct quarterly or biannual reviews of admin access
• Remove admin rights from users who no longer need them
• Rotate credentials for local admin accounts regularly

 7. Train and Support Admins

• Ensure admins are trained on:
• Platform architecture
• Security best practices
• Upgrade and patching processes
• ServiceNow offers admin training paths and certifications

Source:

• Best practices on managing admin accounts