ServiceNow OAuth2

ServiceNow provides cloud-based services such as Software as a Service (SaaS) and Platform as a Service (PaaS) that automate enterprise IT operations.

Important:This ServiceNow integration requires the authentication method OAuth2 with password grant type.

Information Stored
Minimum Permissions Required
Authentication Method
Credentials Required
License Types
Integrating ServiceNow OAuth2 with SaaS Management
API Endpoints with License Differentiation
API Endpoints without License Differentiation

Information Stored

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Integration Task

Information Stored

Application Roster

Username
Email
First Name
Middle Name
Last Name
Active Date
Roles

Application Access

Username
User Event (for further details, refer to ServiceNow OAuth2 User Events Tracked in SaaS Management)
Time Occurred

Important:During the first run of the Application Access task, Flexera pulls data for only the last 6 days.

License Differentiation

See License Types and Tracking Application Activity by License Type for License Differentiation.

Reclamation

Once the reclamation task is executed for the selected users, the entire account and licenses associated with that user will be deleted, and the user will no longer have access to ServiceNow OAuth2.

For details, refer to Reclaiming SaaS Licenses.

Note:The information stored is subject to change as enhancements are made to the product.

ServiceNow OAuth2 User Events Tracked in SaaS Management

When the Application Access integration task is enabled, SaaS Management tracks ServiceNow OAuth2 user events such as, but not limited to, the activities listed in the table below.

ServiceNow OAuth2 User Events Tracked in SaaS Management

ServiceNow OAuth2 User Events Tracked in SaaS Management

Catalog_channel_analytics_Usage

Pa Dc Collect Predictive Completed

Rota On_call Report

Sn_appclient Check For Update

Event Transfer

Pa Job Dc Ended Ok

Sc_cart_item multi_row Orphan Delete

Sn_appclient Update System Property

Glide Heartbeat

Request Approval Inserted

Sc_req_item Change Stage

Sn_dependentclient Check Dependent_apps

Incident Inactivity

Request Approval Rejected

Sc_req_item Inserted

Snc Subscription Definition Count

Live_feed Update

Request Approved

Sc_req_item Updated

Snc Subscription Download Completed

Login

Request Inactive

Sc_task Assigned To Group

Task Approved

Login Failed

Request Inserted

Sc_task Assigned To User

Task Rejected

Logout

Request Requested_for

Sc_task State Changed

Text Index

Notification_engine Process

Request Updated

Session Established

Text_index Reap

Notification_provider Process

Rota On_call Reminder

Sn_appauthor Check Config Update

User View

To access ServiceNow OAuth2 user event activities:

1. Navigate to the SaaS menu and click Managed SaaS Applications. The Managed SaaS Applications screen appears.
2. On the Managed SaaS Applications screen, select the appropriate ServiceNow OAuth2 instance link. The instance’s Overview tab opens by default.
3. Click the Users tab.
4. Within the Users tab table, click the appropriate user’s Email column link. The user details slideout appears.
5. Click the View more user details link, which takes you to the Administration > SaaS Settings > Organization > All SaaS Users screen and displays the user’s All SaaS Users Screen Usage Statistics. One of the usage statistics is the Activity (Last 90 Days) tab, which lists the ServiceNow OAuth2 user event activity information in the Activity and Notes columns.

Minimum Permissions Required

Minimum Permissions Required

Role

Description

Integration Task Name

admin, snc_read_only

These roles are required for retrieving the ServiceNow users and their activities. For details, refer to the Base System Roles section of the ServiceNow documentation.

Application Roster

Application Access

admin

This role is required to:

Retrieve the ServiceNow users and their activities
Manage user licenses for the Reclamation task.
Register the Client Application
Generate the Client ID and Client Secret in ServiceNow.

For details, refer to the Base System Roles section of the ServiceNow documentation.

Application Roster

Application Access

Reclamation

Follow the steps below to enable the correct ServiceNow OAuth2 user role permissions for an existing SaaS Management integration with ServiceNow OAuth2.

To enable the correct user role permissions for an existing SaaS Management integration with ServiceNow OAuth2, determine whether License Differentiation is enabled.

1. When License Differentiation is enabled for an existing SaaS Managementintegration with ServiceNow OAuth2 added using itil and snc_read_only permissions:
a. If you want to enable only the Application Roster and Application Access tasks, you are required to elevate the user role to admin and snc_read_only.
b. If you want to enable the Application Roster, Application Access, and Reclamation tasks, you are required to elevate the user role only to admin.
2. When License Differentiation is not enabled for an existing SaaS Managementintegration with ServiceNow OAuth2:
a. If you want to enable only the Application Roster and Application Access tasks, you are required to have the rest_api_explorer role.
b. If you want to enable the Application Roster, Application Access, and Reclamation tasks, you are required to have the user_admin role. For details, refer to the Base System Roles section of the ServiceNow product documentation.

If you wish to have a custom role with a reading permission specific to the tables used in the integration API, then follow the steps below to create a custom role.

To create a custom role with a reading permission specific to the tables used in the integration API:

Important:If you enable the Reclamation task, the user_admin role and the custom role are required.

1. Sign in to your ServiceNow instance as a security_admin or sign in as a system administrator. Elevate your role by clicking System Administrator. Navigate to Elevate Roles and enable the security_admin check box, which enables this permission to edit the Access Control List.
2. To create a custom role, navigate to the Roles tab by searching for the “roles” keyword in the All Applications menu on the left side of the screen. Click the New button and enter the desired name for the role. Click Submit to create this new role.
3. In the All Application navigator, search for the “Access Control” keyword. Click Access Control (ACL) to navigate to the Access Control tab.
4. In the Access Control tab, search for the access control keyword “sys_user_has_role”. Click on the record with the read operation type, add the custom role created under the Requires Role section, and click Update.
5. Repeat the same steps for the “sys_user_role” Access Control record, add the custom role created to the Requires Role section, and click Update.
6. In the Access Control tab, search for the access control keyword “sysevent”. There will be two records with read operation.
a. Open the record type that does not contain the default entry of “pa_data_collector“.
b. Add the custom role created under the Requires Role section.
c. Click Update.

Authentication Method

OAuth2 with password grant type. For details, refer to the OAuth API Request Parameters section of the ServiceNow product documentation.

Credentials Required

Instance Domain
Username
Password
Client ID
Client Secret
Enable License Differentiation
Specify Fulfiller Roles
Specify Approver Roles

License Types

ServiceNow offers three types of licenses: Requester, Approver, and Fulfiller. The following table lists the ServiceNow OAuth2 license types displayed in the Activity tab.

ServiceNow OAuth2 License Types Displayed in the Activity Tab

Description

Requester

These end users access the instance through an employee self-service portal. Requesters have no associated roles.

Note:Since Requesters are free users, SaaS Management does not pull in these users.

Approver

These end users view or modify requests directed to the approver. Approvers can have the approver_user role. The Approver license type has an average cost per user.

Fulfiller

These end users access all functionality based on assigned roles. A popular fulfiller role is itil. The Fulfiller license type is the most expensive.

Integrating ServiceNow OAuth2 with SaaS Management

To integrate ServiceNow OAuth2 with SaaS Management, perform the following steps.

To integrate ServiceNow OAuth2 with SaaS Management:

1. Sign in to your ServiceNow instance using Administrator credentials.
2. From the Instance URL, note the ServiceNow Instance Domain. You will need this value to integrate ServiceNow OAuth2 with SaaS Management.

For example, if the Instance URL is https://dev70003.service-now.com, then the Instance Domain is dev70003.

Important:If you enter the ServiceNow Instance URL rather than the ServiceNow Instance Domain in the SaaS Management Instance Domain field, the integration will fail.

3. In the filter navigator search box at the left hand side, enter Application Registry and click Application Registry in the search results to select it. The Application Registry page opens.
4. Click the New button and select Create an OAuth API endpoint for external clients.
5. Perform the following:
a. Enter a Name.
b. Note the Client ID. You will need the Client ID value to integrate ServiceNow OAuth2 with SaaS Management.
c. Change the Access Token Lifespan value to 14,400.
6. Manually enter a Client Secret value, or you can generate it by clicking the Submit button. If you generated the Client Secret by clicking the Submit button, navigate to the Application Registry. Click Record which you created and click the Lock icon to reveal the Client Secret value. You will need the Client Secret value to integrate ServiceNowOAuth with SaaS Management.
7. In SaaS Management, add the ServiceNow OAuth2 application. Refer to Adding an Application.
8. Copy and paste the following ServiceNow OAuth2 values into SaaS Management.
Instance Domain 
Client ID 
Client Secret 
9. Enter the Username and Password of the ServiceNow user with privileges as outlined in the Minimum Permissions Required .
10. To enable License Differentiation for the integration, enter the appropriate value in the Enable License Differentiation field.

Example 1: Type YES to enable license differentiation and retrieve the Fulfiller/Approver roles assigned for the users.

Example 2: Type no or leave this field blank if you do not want to enable license differentiation. In this case, the Licenses column under the Users tab will show up empty, and no records will be displayed under the Activity tab.

11. To view specific ServiceNow OAuth2 Approver and Fulfiller license assigned users, enter the information below. When entering multiple roles, use comma delineation.
a. Enter the specific Fulfiller roles in the Specify Fulfiller Roles field.
b. Enter the specific Approver roles in the Specify Approver Roles field.
c. Leave the Specify Fulfiller Roles and Specify Approver Roles fields blank to pull in all users assigned any roles.

Note:If the Specify Fulfiller Roles and Specify Approver Roles fields are left blank, the Licenses column under the Users tab and the License Type column under the Activity tab display “No roles have been specified” for the user records.

Results: 

In the ServiceNow OAuth2 Users tab, the Approver and Fulfiller license types appear in the Licenses column.
In the ServiceNow OAuth2 Activity tab, the Approver and Fulfiller license types appear in the License Type column.
12. Click Authorize.
13. For further information on managing and optimizing your organization’s ServiceNow OAuth2 licenses, refer to:
Tracking Application Activity by License Type for License Differentiation
Reclaiming SaaS Licenses.

API Endpoints with License Differentiation

Application Roster

https://<<instance>>.service-now.com/api/now/stats/sys_user_has_role

 

https://<<instance>>.service-now.com/api/now/table/sys_user_has_role

Application Access

https://<<instance>>.service-now.com/api/now/stats/sysevent

 

https://<<instance>>.service-now.com/api/now/table/sysevent

Reclamation

https://<<instance>>.service-now.com/api/now/v2/table/sys_user_has_role/{sys_id}

API Endpoints without License Differentiation

Application Roster and Application Access

https://<<instance>>.service-now.com/api/now/stats/sys_user

 

https://<<instance>>.service-now.com/api/now/table/sys_user

Reclamation

https://<<instance>>.service-now.com/api/now/v2/table/sys_user/{sys_id}