ServiceNow IT Service Management Suite

Connector name	`agtsvcnow`
Connector type	Executable
Type (UI field value)	ServiceNow IT Service Management
Target system versions supported / tested	The `agtsvcnow` program is known to work with the Paris version of the ServiceNow IT Service Management suite. Other versions may work.
Connector status / support	Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security.

The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):

user verify password
administrator reset password
expire password
check password expiry
unexpire password
enable account
disable account
check account enabled
lock account
unlock account
check account lock
create account
delete account
rename account
update attributes
create group
delete group
add user to group
delete user from group
List:
- attributes
- accounts
- groups
- members
- computer objects

For a full list and explanation of each connector operation, see connector operations.

The following sections show you how to support agent operations by:

Preparing the target
Setting the target system address in Bravura Security Fabric

See also

ServiceNow IT Service Management Suite (Ticket) shows you how to use the pxsvcnow interface program that triggers creations and updates of Incident, Change or Problem on ServiceNow systems.

Preparation

Before you can target ServiceNow, you must:

Set up a target system administrator.
Create at least one template account for account creation operations.
Import the Bravura Security Update Set into ServiceNow.
Assign the target system administrator the Bravura Security role.
Ensure that the Bravura Security Fabric psadmin account is allowed to access ServiceNow IT Service Management Suite site via HTTPS.

Setting up a target system administrator

Bravura Security Fabric uses a designated account on ServiceNow IT Service Management Suite to perform Bravura Security Fabric operations. Create an account with appropriate permissions if one does not already exist.

As an administrator, use a browser to log into ServiceNow IT Service Management Suite web site.
In the left pane, click User Administration.
Click Users.
Select the user you want to promote.
Click Edit next to Roles.
Select admin > Add.
Click Save.

In order to use the ServiceNow REST API architecture, an OAuth API endpoint for external clients must be created in addition to the target administrator.

As an administrator, use a browser to log into the ServiceNow IT Service Management Suite website.
In the left pane, navigate to System OAuth.
Click Application Registry.
Click New.
Click the Create an OAuth API endpoint for external clients link.
Add the details for the Name and Client Secret. Copy the Client ID for future usage.
Click Submit.
When adding the OAuth credentials to the target, the Client ID is entered as the Administrator ID and the Client Secret is entered as the Password . These OAuth credentials must be designated as the System password .

Notes on ServiceNow admin roles

In ServiceNow, permissions are controlled through a combination of roles. Access Control Rules (ACLs), and sometimes specific properties within the application. For example, if you want to allow a user to only view accounts and change passwords, you will need to configure the permissions accordingly, focusing on the user table (often sys_user) and associated records. The following is a summary of steps:

Viewing Accounts: Users typically need the "itil" role or a custom role with read access to the user table (often "sys_user"). Configure ACLs to grant read access to necessary fields within user records.
Changing Passwords: While typically restricted to users with admin or elevated privileges, you can create custom roles and ACLs to allow specific users to change passwords without full admin rights:
1. Create a custom role (e.g., "password_admin") with permissions to change passwords.
2. Configure ACLs on the user table to allow users with this role to update the password field. Be cautious, as this permission can pose security risks.
3. Ensure ACLs restrict access to other fields and system areas.
4. Provide user training on the responsibilities and security implications of changing passwords.

Always test configurations in a development or test instance before applying them to production to avoid unintended access issues. For more detailed instructions tailored to your version and setup, consult ServiceNow documentation or community forums.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in ServiceNow IT Service Management Suite. The following example illustrates how you can create a template account in ServiceNow IT Service Management Suite:

As an administrator, use a browser to log into ServiceNow IT Service Management Suite web site.
In the left pane, click User Administration.
Click Users.
Click New.
Fill in the required fields: User ID, First name, Last name.
Click Submit.

Import the Bravura Identity Update Set into ServiceNow

Before you import the Bravura Identity Update Set, you must back out any previously imported Bravura Identity Update Sets:

Log into ServiceNow IT Service Management Suite.
Click System Update Sets.
Select "Bravura Identity".
Click Back Out.
"Elevated security Admin" permissions are required to do this.
Delete the Bravura Identity Update Set.

If there is an application with same name as "Bravura Identity", it is recommended to change it.

More information on the back out process can be found in section 5 of the following link:

http://wiki.servicenow.com/index.php?title=Transferring\_Update\_Sets#gsc.tab=0

Import the Update Set

Locate Bravura_Identity_Integration.xml shipped with connector pack installed together with svcnow.exe. The location will be:
- <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ agent
  or
- <Program Files path>\Bravura Security\Connector Packs\global\ agent
Log into ServiceNow IT Service Management Suite with an admin account.
Ensure the admin account is elevated to Security_Admin by checking the "lock" symbol in the left-top corner. If the lock symbol is open, the account is elevated. If the lock is closed, click it to elevate.
Navigate to System Update Sets > Retrieved Update Sets > Import Update Set from XML.
Choose the Bravura_Identity_Integration.xml file located previously, and click Upload.
The Retrieved Update Sets page displays "Loaded" for the Bravura Identity item.
Select the "Bravura Identity" row.
Click Preview Update Set.
If no problems were detected, click Commit Update Set.

To confirm the import was successful:

In the left panel type in "Bravura" in the Filter text field.
"Bravura Identity" will appear, and below this, the menu, "Bravura Security users" will appear, if the import was successful.

The steps for importing the Update Set from XML can be found in Section 3 of the following:

http://wiki.servicenow.com/index.php?title=Transferring\_Update\_Sets#gsc.tab=0

Assign the Bravura Security Role

As part of the import, a new role called x_snc_bravura_iden.Bravura_Security_Role is imported. This role has the appropriate permissions required to utilize the Bravura Security web services, which integrates with the agtsvcnow agent program to enable operations.

It is recommended that you configure the target system administrator account to use this role, as opposed to the admin role.

As an administrator, use a browser to log into ServiceNow IT Service Management Suite web site.
In the left pane, click User Administration.
Click Users.
Select the user you used as the target system administrator.
Click Edit next to Roles.
Select x_snc_bravura_iden.Bravura_Security_Role. > Add.
Click Save.
If the Bravura Security Role does not appear in the list on on the left hand side, set the filter as: Name Contains "Bravura".

Ensuring psadmin access

Ensure that the Bravura Security Fabric psadmin account is allowed to access the ServiceNow site via https:

As psadmin, log into the server where Bravura Security Fabric resides.
Using a browser, access your ServiceNow IT Service Management Suite site via https (for example; https://dev00001.service-now.com) and add it as a trusted site.

Targeting ServiceNow

For each ServiceNow IT Service Management Suite system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):

Type is ServiceNow IT Service Management .
Address uses the options described in the table below.
Set the Administrator ID and Password to the login ID and password for the user with permissions to perform all required operations.

The full list of target parameters is explained in Target System Options .

Table 1. ServiceNow address configuration

Option	Description
Options marked with a are required.
Server	The server’s host name or IP address. (key: server)
Port	The TCP port number, typically 443. (key: port)
Connection over SSL	Select to enforce SSL connections. Default is "true". (key: ssl)
Validate the server’s certificate when connecting	Determines whether to validate the server’s security certificate for SSL connections. Default is "true". (key: checkCert)
HTTP Network Proxy	(Optional) Proxy URL to use for connecting. (key: proxy)
Set proxy credentials	(Optional) Set proxy credentials. Default is "false". (key: useProxyCreds)
Config file path	Full path to KVGroup file mapping configuration to target custom tables. See Targeting custom tables for details. (key: cfgpath)
Records per page (maximum 250)	Affects the number of records returned during listing. Change to synchronize with the ServiceNow configuration. (key: pagesize)

The address is entered in KVGroup syntax:

{server=<server url>;[port=<port>;][proxy=<ip:port>;][ssl=<true|false>;][checkCert=<true|false>;][cfgpath=<path>;][pagesize=<records per page>][useProxyCreds=<true|false>;]}

for example:

{server=server.example.com;port=443;proxy=proxy.example.com;cfgpath=agtsvcnow.cfg;ssl=true;checkCert=false;useProxyCreds=true;}

Targeting custom tables

You can target custom tables in ServiceNow with a configuration file written in KVGroup format as illustrated below:

# KVGROUP-V2.0
   #
   # Sample configuration file for agtsvcnow.
   #
   "agtsvcnow" "node" = {
        "user" "u_bravura_user_profiles" = {
            "user_name" = "u_profile_id";
            "first_name" = "u_first_name";
            "last_name" = "u_last_name";
            };
        "group" "u_bravura_grp" = {
            "name" = "u_groupid";
            "description" = "u_groupname";
            };
        "grpmbr" "u_bravura_grpmbr" = {
            "group" = "u_groupid";
            "user" = "u_userid";
            };
        "asset" "u_bravura_compsvr" = {
            "ID" = "asset_tag";
            "name" = "display_name";
            "status" = "install_status";
            "disabled" = "1";
            "deleted" = "0";
            "getall" = "true";
            "sysparm_query"="asset_tagISNOTEMPTY";
            };
   };

The configuration file describes the mapping between the custom table and the built-in sys_user table from which the connector pulls users’ information with default behaviour.

The file maps the default user_name, first_name, last_name columns from sys_user to columns in a custom table. The "group" KVGroup should contain "name", "description" mapping. The "grpmbr" KVGroup should contain "group", "user" mapping if any of them are to be listed from a custom table. If empty, the information will be pulled from the system built-in tables. In addition, the "asset" KVGroup can be used to list any available computer server objects from a custom table.

By default, groupid is mapped to sys_id in the built-in table, which may result in empty group members. If you encounter this, add the following line to "grpmbr" to list all custom group members:

"group_is_sysid"="false";

The configuration file can be placed anywhere. The default path is the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.

In this section: