Set up a read-only connection
~5 minutes on your ServiceNow instance. You create a read-only user and an OAuth app; InstanceGuard only ever reads. We physically cannot write — every call is HTTP GET, enforced in code.
1. Create a read-only integration user
- User Administration → Users → New. Set
User IDe.g.svc_instanceguard_ro. Check Web service access only and Internal Integration User. - Assign the
snc_read_onlyrole. This makes the account read-only at the platform level — writes are blocked by ServiceNow itself, regardless of any other role. We check for this and show it as the strongest guarantee. - Do not grant
admin,itil, or any*_admin/*_writerole. If we detect write-capable roles, we refuse the connection.
2. Register an OAuth application
- System OAuth → Application Registry → New → Create an OAuth API endpoint for external clients.
- Name it e.g.
InstanceGuard. Leave the Client Secretauto-generated. Save. - Copy the Client ID and Client Secret — you'll paste them into InstanceGuard. The secret is shown once; store it in Vault on our side.
3. Bind the OAuth app to the read-only user (client_credentials)
So InstanceGuard can authenticate non-interactively without a password.
- On the OAuth app, add an OAuth Entity Profile (or via OAuth Entity Scopes) enabling the
client_credentialsgrant type. - Set the profile's run-as / default user to your
svc_instanceguard_rointegration user. Tokens issued to this app then act as that read-only user. - (Requires Tokyo or later for client_credentials. On older releases, use the authorization_code grant with the integration user instead — contact us and we'll switch the connection mode.)
4. Connect
Paste the instance URL, Client ID, and Client Secret into New connection. We immediately:
- request a token via
client_credentials(no password stored), - resolve which user the token authenticates as,
- enumerate that user's roles, and
- refuse the connection if any write-capable role is present — surfaced in the UI as a trust signal.