The ServiceNow provisioning flow fails with the following error visible in the Okta dashboard:

• Errors during execution: Error executing pushUserProfile: 404. No Record found. Record doesn't exist or ACL restricts the record retrieval. Error Code: null

• 403. Operation Failed. ACL Exception Insert Failed due to security constraints

• ServiceNow
• Provisioning
• Error

The error is generally caused by a misconfiguration in the ServiceNow environment or by the service account used for the API integration not having the appropriate permissions to view/edit user objects in the ServiceNow application.

Rules for access control lists (ACLs) restrict access to data by requiring users to pass a set of requirements before they can interact with it. The object is the target to which access needs to be controlled. Each object consists of a type and name that uniquely identifies a particular table, field, or record.

All-access control list rules specify:

• The object and operation being secured

• The permissions required to access the object

Check ServiceNow credentials

1. Ensure the Credentials from the ServiceNow instance are correct in the Provisioning Tab of the Okta Application.
2. The credentials can be found in ServiceNow under Your instance actions > Manage instance password.

Verify the target User

1. Verify that the User object that Okta is targeting for provisioning has the same external id.
2. The AppUser assignment's external ID can be found under the Okta Applications page > ServiceNow > Assignments > click the edit/pencil icon
3. The external ID is the unique ID in ServiceNow for the user record, which must remain unchanging and uniquely identify this account. Certain migration actions where the ServiceNow database is overwritten can affect this id and cause the disconnect.

• • If this is the case, then it is generally best to unassign the User(s) in Okta and assign them back to the app.
  • This initiates the provisioning flow and should obtain the current external IDs from ServiceNow based on the assignments' Usernames.

Please contact ServiceNow Support for more details if further challenges are faced in locating the user accounts or required permissions in the ServiceNow environment.

Related References

• Access control list rules
• Demystifying Access Controls | ACL Basics
• Why the External ID is Necessary for Provisioning to Downstream Apps