Skip to content
Latchkey

ServiceNow "insufficient rights" (ACL) on change in CI

ServiceNow authenticated the user but ACLs blocked the operation. Creating or updating change_request records requires a role such as itil or a change role; without it, the API reports insufficient rights.

What this error means

A change create/update returns success:false with "insufficient rights" (often HTTP 403), while a read of a permitted table works, proving auth is fine but ACLs are not.

ServiceNow
HTTP/1.1 403 Forbidden
{"error":{"message":"Operation against file 'change_request' was aborted",
 "detail":"ACL Exception Insufficient rights to write to change_request"},"status":"failure"}

Common causes

The integration user lacks a change role

Writing change_request needs a role like itil or sn_change_write. A bare user authenticates but cannot pass the table ACL.

A field-level ACL blocks a specific field

Even with table access, a restricted field can trigger an ACL exception when the request sets it.

How to fix it

Grant the required role

  1. Identify which ACL the operation trips (table or field level).
  2. Assign the integration user the appropriate change role (itil / sn_change_write).
  3. Retry the change operation.

Avoid setting restricted fields

If a field ACL blocks the write, omit that field or use the DevOps Change API which sets change data through a supported path.

How to prevent it

  • Give the CI integration user the minimum change role it needs.
  • Prefer the DevOps Change API for change creation over raw table writes.
  • Avoid writing ACL-restricted fields directly.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →