ServiceNow "insufficient rights" (ACL) on change in CI
ServiceNow authenticated the user but ACLs blocked the operation. Creating or updating change_request records requires a role such as itil or a change role; without it, the API reports insufficient rights.
What this error means
A change create/update returns success:false with "insufficient rights" (often HTTP 403), while a read of a permitted table works, proving auth is fine but ACLs are not.
HTTP/1.1 403 Forbidden
{"error":{"message":"Operation against file 'change_request' was aborted",
"detail":"ACL Exception Insufficient rights to write to change_request"},"status":"failure"}Common causes
The integration user lacks a change role
Writing change_request needs a role like itil or sn_change_write. A bare user authenticates but cannot pass the table ACL.
A field-level ACL blocks a specific field
Even with table access, a restricted field can trigger an ACL exception when the request sets it.
How to fix it
Grant the required role
- Identify which ACL the operation trips (table or field level).
- Assign the integration user the appropriate change role (itil / sn_change_write).
- Retry the change operation.
Avoid setting restricted fields
If a field ACL blocks the write, omit that field or use the DevOps Change API which sets change data through a supported path.
How to prevent it
- Give the CI integration user the minimum change role it needs.
- Prefer the DevOps Change API for change creation over raw table writes.
- Avoid writing ACL-restricted fields directly.