ServiceNow user activity tracking

Note:This feature is available with SaaS Management.

Flexera SaaS Management’s integration with ServiceNow and ServiceNow OAuth2 now tracks all user activity and the time the activity occurred. Software Asset Managers can now identify whether users with ServiceNow Approver and Fulfiller (ITIL) licenses are using the paid aspects of their licenses and are delivering services to requesters or approving requests within the appropriate time period.

Some examples of tracked ServiceNow user activity include, but are not limited to, the following:

Request Approved
Request Updated
Request Inserted
Incident Updated
Incident Inserted
Incident Inactive
Problem Inserted

Actions required for existing SaaS Management Integrations with ServiceNow and ServiceNow OAuth2

If you currently have a ServiceNow or a ServiceNow OAuth2 integration with Flexera’s SaaS Management, complete the following tasks to track user events and the time the events occurred. For further details, refer to the ServiceNow or ServiceNow OAuth2 integration instructions.

The minimum permissions for ServiceNow and ServiceNow OAuth2 have been updated. For details, refer to the appropriate minimum permissions table: Minimum permissions required for ServiceNow or Minimum permissions required for ServiceNow OAuth2 .
Enable the updated ServiceNow or ServiceNow OAuth2 user role permissions based on whether your existing integration supports license differentiation. For details, refer to Enabling ServiceNow and ServiceNow OAuth2 user role permissions.
If your organization currently implements the optional task of Creating a custom role with a reading permission specific to the tables used in the integration API, note that step 6 has been added to these instructions.
The ServiceNow and ServiceNow OAuth2 API endpoints have been updated. Refer to the appropriate API endpoints based on whether your existing integration supports license differentiation: API endpoints with license differentiation or API endpoints without license differentiation.

Actions required for new SaaS Management Integrations with ServiceNow and ServiceNow OAuth2

You need to complete the following tasks to integrate ServiceNow or ServiceNow OAuth2 with SaaS Management. For further details, refer to the ServiceNow or ServiceNow OAuth2 integration instructions.

To track user activity and the time the activity occurred, complete the task: Enabling the SaaS Management Application Access integration task.
Note the appropriate user permissions: Minimum permissions required for ServiceNow or Minimum permissions required for ServiceNow OAuth2 .
As an option for your organization, you can enable the task: Creating a custom role with a reading permission specific to the tables used in the integration API.
Based on your decision whether to support license differentiation for your integration, refer to the appropriate API endpoints: API endpoints with license differentiation or API endpoints without license differentiation.

Enabling the SaaS Management Application Access integration task

To track ServiceNow and ServiceNow OAuth2 user activity and the time the activity occurred, you need to enable the SaaS Management Application Access integration task per the appropriate instructions:

Integrating ServiceNow with SaaS Management 
Integrating ServiceNow OAuth2 with SaaS Management 

Note:During the first run of the Application Access task, Flexera pulls data for only the last 6 days.

Minimum permissions required for ServiceNow

Minimum Permissions Required for ServiceNow

Role

Description

Integration Task Name

admin, snc_read_only

These roles are required for retrieving the ServiceNow users and their activities. For details, refer to the Base System Roles section of the ServiceNow documentation.

Application Roster

Application Access

admin

This role is required to:

Retrieve the ServiceNow users and their activities
Manage user licenses for the Reclamation task.

For details, refer to the Base System Roles section of the ServiceNow product documentation.

Application Roster

Application Access

Reclamation

Minimum permissions required for ServiceNow OAuth2

Minimum Permissions Required for ServiceNow OAuth2

Role

Description

Integration Task Name

admin, snc_read_only

These roles are required for retrieving the ServiceNow users and their activities. For details, refer to the Base System Roles section of the ServiceNow documentation.

Application Roster

Application Access

admin

This role is required to:

Retrieve the ServiceNow users and their activities
Manage user licenses for the Reclamation task.
Register the Client Application
Generate the Client ID and Client Secret in ServiceNow.

For details, refer to the Base System Roles section of the ServiceNow documentation.

Application Roster

Application Access

Reclamation

Enabling ServiceNow and ServiceNow OAuth2 user role permissions

Follow the steps below to enable the correct ServiceNow and ServiceNow OAuth2 user role permissions for an existing SaaS Management integration with ServiceNow.

To enable the correct user role permissions for an existing SaaS Management integration with ServiceNow, determine whether License Differentiation is enabled.

1. When License Differentiation is enabled for an existing SaaS Management integration with ServiceNow added using itil and snc_read_only permissions:
a. If you want to enable only the Application Roster and Application Access tasks, you are required to elevate the user role to admin and snc_read_only.
b. If you want to enable the Application Roster, Application Access, and Reclamation tasks, you are required to elevate the user role only to admin.
2. When License Differentiation is not enabled for an existing SaaS Management integration with ServiceNow:
a. If you want to enable only the Application Roster and Application Access tasks, you are required to have the rest_api_explorer role.
b. If you want to enable the Application Roster, Application Access, and Reclamation tasks, you are required to have the user_admin role. For details, refer to the Base System Roles section of the ServiceNow product documentation.

Creating a custom role with a reading permission specific to the tables used in the integration API

If you wish to have a custom role with a reading permission specific to the tables used in the integration API, then follow the steps below to create a custom role.

Important:If you enable the Reclamation task, the user_admin role and the custom role are required.

To create a custom role with a reading permission specific to the tables used in the integration API:

1. Log in to your ServiceNow instance as a security_admin or log in as a system administrator. Elevate your role by clicking System Administrator. Navigate to Elevate Roles and enable the security_admin check box, which enables this permission to edit the Access Control List.
2. To create a custom role, navigate to the Roles tab by searching for the “roles” keyword in the All Applications menu on the left side of the screen. Click the New button and enter the desired name for the role. Click Submit to create this new role.
3. In the All Application navigator, search for the “Access Control” keyword. Click Access Control (ACL) to navigate to the Access Control tab.
4. In the Access Control tab, search for the access control keyword “sys_user_has_role”. Click on the record with the read operation type, add the custom role created under the Requires Role section, and click Update.
5. Repeat the same steps for the “sys_user_role” Access Control record, add the custom role created to the Requires Role section, and click Update.
6. In the Access Control tab, search for the access control keyword “sysevent”. There will be two records with read operation.
a. Open the record type that does not contain the default entry of “pa_data_collector“.
b. Add the custom role created under the Requires Role section.
c. Click Update.

API endpoints with license differentiation

Application Roster

https://<<instance>>.service-now.com/api/now/stats/sys_user_has_role

 

https://<<instance>>.service-now.com/api/now/table/sys_user_has_role

Application Access

https://<<instance>>.service-now.com/api/now/stats/sysevent

 

https://<<instance>>.service-now.com/api/now/table/sysevent

Reclamation

https://<<instance>>.service-now.com/api/now/v2/table/sys_user_has_role/{sys_id}

API endpoints without license differentiation

Application Roster and Application Access

https://<<instance>>.service-now.com/api/now/stats/sys_user

 

https://<<instance>>.service-now.com/api/now/table/sys_user

Reclamation

https://<<instance>>.service-now.com/api/now/v2/table/sys_user/{sys_id}