Solved

ServiceNow Agent Marketplace Plugins Don't seem to support Permission Mirroring

Forum|Forum|3 months ago
October 16, 2025
3 replies
34 views

Aaron_Vess
New Participant

My team has recenlty started testing around with installing Agent templates from the Marketplace into our TEST environment. Once particular agent template is Summarize an Incident. When testing this we identified a potential issue where any associate could get a Incident summary for any Incident. I see this as a potential security concern as I wouldn’t want a non ITIL user to be able to see higher severity Incidents as an example.

Has anyone else implemented this Agent template? If so, have you had similar experiences or have any idea how to implement the SNOW Role-Based permission mirroring?

Best answer by Kevin Mok

Currently, this plugin uses the ServiceNow connector you set up. I assume it’s either a service account or an OAuth application.

If this account has access to all incidents in the incident table, it can read any incident. The API will then return all the information requested.

This isn’t a Permission Mirroring issue since it’s using a service account or application to retrieve the information.
--

What you can do in this scenario is check access by modifying the plugin to include specific checks. For example, after the user enters the ticket number, you could verify whether they have access to it. Such a workaround would require setting up another API action and implementing decision policies.

+1

Kevin Mok
Community Manager
Answer
Forum|Forum|2 months ago
October 22, 2025

Currently, this plugin uses the ServiceNow connector you set up. I assume it’s either a service account or an OAuth application.

If this account has access to all incidents in the incident table, it can read any incident. The API will then return all the information requested.

This isn’t a Permission Mirroring issue since it’s using a service account or application to retrieve the information.
--

What you can do in this scenario is check access by modifying the plugin to include specific checks. For example, after the user enters the ticket number, you could verify whether they have access to it. Such a workaround would require setting up another API action and implementing decision policies.

Like

Aaron_Vess
Author
New Participant
Forum|Forum|2 months ago
October 22, 2025

When you say “...require setting up another API action...” do you mean a new Action within the plugin or a new Connection between Moveworks and SNOW?

Like

+1

Kevin Mok
Community Manager
Forum|Forum|2 months ago
October 22, 2025

A new http action within the plugin flow!

Like

Sign up

For current customers who manage their engagement with Moveworks, please login or create your account with the customer button below. For Moveworks Partners, please login or create your account with the partner button below.

Login to your Moveworks Community

For current customers who manage their engagement with Moveworks, please login or create your account with the customer button below. For Moveworks Partners, please login or create your account with the partner button below.

Scanning file for viruses.

This file cannot be downloaded