Add ServiceNow actions

When ServiceNow actions are turned on, end users can ask the assistant to perform the following ServiceNow actions:

  • Create ServiceNow incidents
  • Update ServiceNow incidents

For example, a user could enter "create a ServiceNow incident about a computer hardware failure" or "update ServiceNow incident INC0010001 to have high urgency" into the app. The assistant asks for additional details if necessary, and then asks the user to confirm the create or update request.

The assistant can read and update the following ServiceNow fields through actions:


Field
Description

Caller
Required. The email address of the caller on whose behalf the incident is being created, for example user@google.com.

Title
A brief title of the incident to be created.

Description
Details on the incident to be created.

Category
Category of the incident to be created.

Impact
Impact of the incident.

Urgency
Urgency of the incident.

State
State of the incident.

Assigned to
Email address of the user to assign the incident to, for example, user@google.com.

Assignment group
User group to assign the incident to.

Close code
Close code for the incident.

Close notes
Close notes for the incident.

Set up authentication and permissions for ServiceNow

Before turning on ServiceNow actions, a ServiceNow administrator must authorize and set up a ServiceNow connector for actions. This is required to connect your integration and allow read and write permission for actions.

Before setting up your connection, ensure you have the following in place:

  1. ServiceNow instance: Create a ServiceNow instance by following the instructions on the ServiceNow Developer documentation.
  2. Google Cloud project: Set up a Google Cloud project with an administrator account capable of managing organization-level configurations, ensuring the organization can set up a workforce pool.
  3. Workforce pool: Make sure your organization is set up to manage a workforce pool.

Set up ServiceNow

ServiceNow offers two primary sites:

  1. Main ServiceNow site: The site for your ServiceNow instance.
    • Manages users, groups, and system administration tasks.
    • URL: The URL for your ServiceNow instance.
    • Sign in using your administrator credentials.
  2. Developer site:
    • Configures the knowledge base, sets up workflows, and develops custom applications.
    • URL: https://developer.service-now.com.
    • Sign in using your ServiceNow ID.

To create an OAuth endpoint, do the following:

  1. Sign into the main ServiceNow instance with administrator privileges.
  2. Navigate to All > System OAuth > Application registry.
  3. Click New, then select Create an OAuth API endpoint for external clients. Retrieve the client ID and client secret.
  4. Fill in the required information:
    1. Name: Unique name.
    2. Redirect URL: https://vertexaisearch.cloud.google.com/oauth-redirect
  5. Click Submit to create the credential.
  6. After submission, click the name to view the client secret.
  7. The secret is masked. Click the lock icon next to it to unmask and view the secret.
  8. Keep a copy of the client ID and secret to use when required.
  9. Go to developer.service-now.com and click Manage instance password.
  10. Keep a copy of the username and password to use when required.
  11. At this stage, all five pieces of information needed to set up a ServiceNow data store are available. If there are no concerns with using the Admin role to pull data, proceed to creating a data store.

Set up roles and permissions

You must have a security administrator role to create and manage users. If you don't have this role, elevate your role to security_admin by clicking Elevate role under your profile. Select the security_admin role and click Update. The security_admin role is required to create roles and manage users.

  1. Create a custom role with ACL rules:
    1. Navigate to All > User administration > Roles.
    2. Click New to create a new role.
    3. Select a name and click Submit.
    4. Navigate to System security > Access Control (ACL) to create a new ACL rule.
    5. Click New to create a new ACL rule.
    6. Select a role, such as sys_user_role.
    7. Click Submit and assign the role.
    8. Repeat this process until all the table access is granted. The connector requires access to the following tables for each entity to run successfully:
      1. Incident: incident.
      2. Catalog item: sc_cat_item, sc_cat_item_user_criteria_mtom, sc_cat_item_user_criteria_no_mtom, sc_cat_item_user_mtom, sc_cat_item_user_no_mtom.
      3. Knowledge: kb_knowledge, kb_knowledge_base, kb_uc_can_read_mtom, kb_uc_can_contribute_mtom.
      4. Attachment: All listed items.
      5. Identity: sys_user_role, sys_user_has_role, sys_user_group, sys_user_grmember, sys_user.
      6. Updated as new criteria are pulled: core_company, cmn_location, cmn_department.
      7. User criteria: user_criteria.
    9. Verify all ACLs are updated by navigating to sys_security_acl_role_list.do in the search bar.
    10. Select the role to verify.
    11. Confirm that all the required ACLs are assigned to the selected role.
  2. Grant the role to a service account:
    1. Go to All > User Administration > Users and select the user.
    2. Find the user to grant the role to and select the user.
  3. If no user is available, navigate to System security > Users and groups > Users.
  4. Click New to create a new service account in the User table.
  5. Ensure to check the Web service access only checkbox.
  6. Go to the Roles table at the bottom of the page.
  7. Click Edit on the right.
  8. Grant the role created earlier and assign it to the user. Depending on the type of role created, select the appropriate one and assign it.
  9. Obtain the username and password for the user. From the same page, click Set password.
  10. Auto-generate a password and save it for later use:
    1. User ID: manager.
    2. Password: Enter the auto-generated password.

Configure the workforce pool

Follow the instructions to set up a workforce pool with one of the following configurations:

  1. Azure OIDC setup
  2. Azure SAML setup
  3. Okta & OIDC setup
  4. Okta & SAML setup

Configure a ServiceNow action

Before you begin, make sure that a Google Cloud administrator has completed the steps in Set up authentication and permissions for ServiceNow and provided you with the following:

Field Description
Client ID The client ID for your ServiceNow integration.
Client Secret The client Secret for your ServiceNow integration
Username User account of your integration.
Password Password of your integration.
Instance URL Instance URL of your ServiceNow site.
Auth URL The Authorization URI for your ServiceNow API client.
Token URL The refresh token URI for your ServiceNow API client.

Configure ServiceNow actions in the Google Cloud console

To add actions to your app using the console, do the following:

  1. In the Google Cloud console, go to the Agent Builder page.
  2. Go to the Actions page.
  3. For ServiceNow, click Connect.
  4. Enter a name for your connector.
  5. Enter authorization information for your connector
  6. Select which actions to enable.
  7. Click Finish setup. Your action is displayed on the Actions page. It takes 5 to 15 minutes for actions to begin to work in your app.

Configure ServiceNow actions using the API

To add actions to your app using the API, do the following.

  1. Create a ServiceNow connector for actions:

      curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  -H "X-GFE-SSL: yes" \
  -H "X-Goog-User-Project: PROJECT_ID" \
  "https://discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/global:setUpDataConnector" \
  -d '{
    "collectionId": "COLLECTION_ID",
    "collectionDisplayName": "COLLECTION_DISPLAY_NAME",
    "dataConnector": {
      "dataSource": "servicenow",
      "params": {
        "username": "USERNAME",
      "client_id": "CLIENT_ID",
      "client_secret": "CLIENT_SECRET",
        "password": "PASSWORD",
        "instance_url": "INSTANCE_URL}"
      },
      "refreshInterval": "86400s",
      "entities": [
        {
          "entityName": "knowledge_base"
          "params": {
            "inclusion_filters":{},
            "exclusion_filters":{}
          }
        },
        {
          "entityName": "catalog"
        },
        {
          "entityName": "knowledge"
        },
        {
          "entityName": "incident"
        },
        {
          "entityName": "attachment"
        }
      ],
      "syncMode": "PERIODIC",
      "staticIpEnabled": false
  }'

    Replace the following:

    • PROJECT_ID: the ID of your project.

    • COLLECTION_ID: an ID for the collection.

    • COLLECTION_DISPLAY_NAME: a display name for the collection.

    • USERNAME: User account of your ServiceNow integration.

    • CLIENT_ID: The client ID for your ServiceNow integration.

    • PASSWORD: Password of your ServiceNow integration.

    • INSTANCE_URL: Instance URL of your ServiceNow site.

  2. Update the connector to include action configurations.

    curl -X PATCH \
  -H "Authorization: Bearer $(gcloud auth print-access-token --project "PROJECT_NUMBER")" \
  -H "Content-Type: application/json" \
  -H "X-Goog-User-Project: PROJECT_ID" \
  "https://discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/global/collections/COLLECTION_ID/dataConnector?update_mask=action_config,bap_config,destination_configs" \
  -d '{
  "name": "projects/PROJECT_ID/locations/global/collections/COLLECTION_ID/dataConnector",
  "actionConfig": {
    "isActionConfigured": true,
    "actionParams": {
      "client_id": "CLIENT_ID",
      "client_secret": "CLIENT_SECRET",
      "auth_uri": "AUTH_URI",
      "token_uri": "TOKEN_URI",
      "pkce_support_enabled": true,
      "include_system_tables": true
    }
  },
  "bapConfig": {
    "supported_connector_modes": "ACTIONS"
  },
  "destinationConfigs": [
    {
      "key": "host_url",
      "destinations": [
        {
          "host": "INSTANCE_URL"
        }
      ]
    }
  ]
}'

    Replace the following:

    • PROJECT_ID: the ID of your project.

    • COLLECTION_ID: the ID for the collection.

    • USERNAME: User account of your ServiceNow integration.

    • CLIENT_ID: The client ID for your ServiceNow integration.

    • PASSWORD: Password of your ServiceNow integration.

    • AUTH_URI: The Authorization URI for your ServiceNow integration.

    • TOKEN_URI: The refresh token URI for your ServiceNow integration.

    • INSTANCE_URL: Instance URL of your ServiceNow site.

  3. Enable ServiceNow actions for your assistant.

    curl -X PATCH \
  -H "Authorization: Bearer $(gcloud auth print-access-token --project "PROJECT_NUMBER")" \
  -H "Content-Type: application/json" \
  -H "X-Goog-User-Project: PROJECT_NUMBER" \
  "https://discoveryengine.googleapis.com/v1alpha/projects/PROJECT_NUMBER/locations/global/collections/default_collection/engines/APP_ID/assistants/default_assistant?update_mask=enabledActions" \
  -d '{
    "name": "projects/PROJECT_NUMBER/locations/global/collections/default_collection/engines/APP_ID/assistants/default_assistant",
    "enabledActions": {
      "projects/PROJECT_NUMBER/locations/global/collections/CONNECTOR_ID/dataConnector": {
        "actionInfo": [
          {
            "actionName": "create_servicenow_incident",
            "actionDisplayName": "Create ServiceNow Incident"
          },
          {
            "actionName": "update_servicenow_incident",
            "actionDisplayName": "Update ServiceNow Incident"
          }
        ]
      }
    }
  }'

    Replace the following:

    • PROJECT_NUMBER: the number of your Google Cloud project.

    • APP_ID: the ID of the app.

    • CONNECTOR_ID: the connector's collection ID that you generated in previous step.

After you add actions, the assistant can perform those actions on behalf of your end users in the app. The first time that a user asks the assistant to perform a ServiceNow action, they are asked to authorize access to their ServiceNow account. To use the assistant, users must have Agentspace Enterprise Plus licenses.