Machine identity Recommendations - Product Knowledge

Machine identity Recommendations Machine Identity Console Machine Identity Console allows Admin & Integration owner to manage Machine identities, which identify, authenticate, and authorize applications, workloads, API’s, bots, and automated systems.

Security score and findings in Machine identity console is based on the usage and method of authenticating machine identities to help identify higher risk identities so admins can take the necessary preventative actions for them.

The Machine identity security score is based on the following findings:

Accounts with no login for 100 days Accounts using Basic Authentication Integration accounts with Web Service Access disabled Accounts performing both UI and API logins The recommended actions for each finding are as follows: Accounts with no login for 100 days

This account that has not signed in for 100 days or more. Consider deactivating the account to reduce the risk.

To make the account inactive, follow these steps:

Click the Machine identity link to view the user record. Uncheck the Active checkbox. Update the record.

Accounts using Basic Authentication

Basic Auth is not the most recommended authentication mechanism. ServiceNow supports alternative, more secure methods of authentication. It is recommended upgrading your machine identity to a more secure method.

Refer to the Inbound Integration documentation. Once you're familiar, explore the new Inbound Integration experience [Machine identity Console tab: Inbound Integrations]. Use the Certificated Based Authentication as an alternate authentication option. To learn more about why Basic Auth is not recommended, read section 4 in the OWASP Non-Human Identities article.

Integration accounts with Web Service Access disabled

This account that has Web Service Access disabled. Consider enabling the Web Service Access for the account to reduce the risk.

To make the account inactive, follow these steps:

Click the Machine identity link to view the user record. Set the Identity type = Machine in sys_user record (This will automatically check the Web Service Access checkbox). Update the record.

Accounts performing both UI and API logins

Account that is performing UI login but marked for integration. Consider creating a separate account for UI logins and use this account only for integration, and vice-versa.