Non-interactive sessions

The Non-Interactive Sessions plugin creates a distinction between interactive and non-interactive users.

Interactive users
New users added to the instance automatically become interactive users. Interactive users can perform the following actions:
  • Use their user name and password to log in to the UI or a service portal.
  • Connect to an instance from a URL that calls a UI page, form, or list, for example, https://<instance name>.service-now.com/incident.do.
  • Connect with single sign-on, for example, digest authentication or SAML.
  • Use their credentials to authorize SOAP connections if allowed by strict security.
  • Use their credentials for other API connections such as WSDL, JSON, XML, or XSD without restriction.
Non-interactive users
Non-interactive users can only use their credentials to authorize API connections such as JSON, SOAP, and WSDL. They cannot log in to the ServiceNow UI. The strict security high security setting determines if non-interactive users are subject to Contextual Security requirements.

Distinguishing between interactive and non-interactive users increases instance security by ensuring that users conform to the principle of least privilege.

Installed with Non-Interactive Sessions

Note: Non-Interactive Sessions is enabled for all new instances since the Calgary release. If you do not see it in the list of plugins, request it using the Activate Plugin service catalog item in HI.
  • Adds a column Web Service Access Only [web_service_access_only] to the User [sys_user] table.
  • Changes all existing users to be interactive users (web_service_access_only=false).
  • Updates the User form to display the Web Service Access Only [web_service_access_only] field by default.

Create a non-interactive user for web services

Non-interactive users can only connect to a ServiceNow instance from an API protocol. Use this feature to set up user accounts for web service authentication purposes.

Before you begin

Role required: user_admin or admin

About this task

Non-interactive users cannot log in to an instance or a service portal, connect through single-sign-on, or be used as a MID Server user.

Procedure

  1. Navigate to User Administration > Users.
  2. Search for the user to be updated.
    For example, SOAP user.
  3. Select the Web Service Access Only check box.
  4. Click Update.
    Note:

    ServiceNow always uses any user name and password credentials supplied with a request even if the High Security Settings do not require authorization for a given API protocol. For example, if a SOAP request supplies a user name and password, the instance verifies those credentials even if SOAP requests do not require authorization. To avoid verifying user credentials, the request must not include them.

Make a non-interactive user record interactive

Interactive users have the following access rights.

Before you begin

Role required: user_admin or admin

Procedure

  1. Navigate to User Administration > Users.
  2. Search for the user you want to update. For example, System Administrator.
  3. Clear the Web Service Access Only check box.
  4. Click Update.

Update web service user accounts for strict security

If your instance requires strict security, add the soap role to any user accounts used for web services.

Before you begin

Role required: user_admin or admin

Procedure

  1. Navigate to User Administration > Users.
  2. Select a web service user from the list.
  3. From the Roles related list, click Edit.
  4. Add soap to the Roles List.
  5. Click Save.
  6. Click Update.

Require authentication

You can specify whether non-interactive sessions require authentication from the High Security Settings module.

Before you begin

Role required: admin with elevated privileges

About this task

A non-interactive session bypasses the UI to connect to the instance at an API level. Typically, non-interactive sessions use set protocols such as JSON, SOAP, XSD, or WSDL. By default, all non-interactive sessions require authentication.

Procedure

  1. Log in with an administrator user with the security_admin role.
  2. Elevate your privileges to use security_admin.
  3. Navigate to System Security > High Security Settings.
  4. Select the matching "Requires authorization" option for the protocol you want to set. For example, Requires authorization for incoming SOAP requests.
  5. Select the check box to require authentication for the non-interactive session method. Clear the check box to allow the non-interactive session method to connect without providing any credentials.
    Note: Activating the Non-Interactive Sessions plugin on an existing system may prevent any existing users that authorize SOAP and WSDL-based integrations from logging in unless they already have the soap role.