I have configured a OAUTH client ID and secret on my client's ServiceNow instance. I configured the account in the Splunk Add-on for ServiceNow application. The configuration completed without issue. I was then able to configure an input to pull from the CMDB database using the OAUTH credentials. However when I try to pull the "sn_si_incident" table from the SIR database I'm getting the message "Insufficient rights to query records: Fields present in the query do not have permission to be read".

When I configured the OAUTH credentials in the add-on I used an account (e.g. svc_account1) that I know has permissions to read from this table. We have also tested with Postman and can pull from the security incident table. In Postman we configured the client ID/secret as well as the username and password (using svc_account1).  We noticed that when we try using the OAUTH using Postman the user is the correct user (svc_account1). However when we use the Splunk add-on the user is my user account.

Has anyone every tried to use OAUTH to access the security database tables?

Is the add-on built to handle the security database tables? I wonder about this because when I try to select a table from the dropdown I don't see "sn_si_incident" (probably because the only tables available are from the CMDB database).

Thanks.