Connect ServiceNow

This page describes how to connect ServiceNow to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection, ensure you have the following in place:

  1. ServiceNow instance: Create a ServiceNow instance by following the instructions on the ServiceNow Developer documentation.

  2. Google Cloud project: Set up a Google Cloud project with an administrator account capable of managing organization-level configurations, ensuring the organization can set up a workforce pool.

  3. Workforce pool: Make sure your organization is set up to manage a workforce pool.

Set up ServiceNow

ServiceNow offers two primary sites:

  1. Main ServiceNow site: The site for your ServiceNow instance.

    • Manages users, groups, and system administration tasks.
    • URL: The URL for your ServiceNow instance.
    • Sign in using your administrator credentials.

  2. Developer site:

    • Configures the knowledge base, sets up workflows, and develops custom applications.
    • URL: https://developer.service-now.com.
    • Sign in using your ServiceNow ID.

To create an OAuth endpoint, do the following:

  1. Sign into the main ServiceNow instance with an administrator role.

  2. Navigate to All > System OAuth > Application registry.

    select
    Select application registry

  3. Click New.

    select
    Click the New button

  4. Click Create an OAuth API endpoint for external clients.

    select
    Select the option to create an OAuth API endpoint for external clients

  5. Fill in the required fields:

    1. Name: Enter a Unique name.
    2. Redirect URL: Enter the redirect URL.

  6. Click Submit to create the credential.

    select
    Enter the redirect URL

  7. After submission, click the name to view the Client ID.

    select
    View the client ID

  8. The secret is masked. Click the lock icon next to it to unmask and view client secret.

    select
    Click the lock icon

  9. Save the Client ID and Client secret for later use.

    select
    Copy the client ID and client secret

To retrieve ServiceNow instance credentials, do the following:

  1. Go to developer.service-now.com and click Manage instance password.

    select
    Click the Manage instance password button

  2. Keep a copy of the instance URL, username, and password to use when required.

At this stage, all five pieces of information needed to set up a ServiceNow data store are available. If there are no concerns with using the administrator role to pull data, proceed to creating a data store.

Set up roles and permissions

Elevate the administrator role to security_admin to manage users and roles.

  1. Click your profile icon and then select Elevate role.

    select
    Click the Elevate role button

  2. Select security_admin and then click Update. The security_admin role helps to create roles and manage users.

    select
    Select the security_admin role and then click the Update button

  1. Use administrator role: You can use an administrator role to pull data. You can either use the default administrator role configured with the instance, or create a new user with an administrator role using the following instructions.

    1. Go to All > User administration > Users.

      select
      Select users

    2. Create a new user with a name.

      select
      Select username

    3. Enable Web service access only. When you select Web service access only, you create a non-interactive user.

      Interactive users vs. non-interactive users: Interactive users can sign in to the ServiceNow UI or service portal using their username and password. They can access an instance through a URL that points to a UI page, form, or list. They can also connect using single sign-on methods such as digest authentication or security assertion markup language (SAML). Additionally, they can use their credentials to authorize SOAP connections if permitted by strict security settings, and they have unrestricted access to other API connections such as WSDL, JSON, XML, or XSD.

      Whereas, non-interactive users can only use their credentials to authorize API connections like JSON, SOAP, and WSDL. They cannot sign in to the ServiceNow UI and can only access the instance through API protocols.

    4. After user creation, select the user from the users list.

      select
      Pick a user

    5. Click Roles > Edit.

      select
      Edit roles

    6. Add Admin.

    7. Click Save to add a list of roles to the user.

      select
      Add list of roles to the user

    8. Click Set password, auto-generate, and save it.

      select
      Set password

  2. Custom role (Recommended): Using the administrator role may not suit teams or organizations that want to avoid assigning overly powerful permissions. This option provides a role with three specific permissions that grant the required access.

    1. Go to All > System security > Users and groups > Roles.

      select
      Add roles

    2. Select New, enter a name.

      select
      Click the New button

    3. Click Submit.

      select
      Click the Submit button

    4. Find the created role in the list.

      select
      Search using the role name and click the role

    5. Navigate to Contains roles > Edit.

      select
      Click the Edit button

    6. Add the following roles to the newly created role, and then click Save.

      • catalog_admin
      • knowledge_admin
      • incident_manager

      select
      Add roles and click the Save button

    7. Confirm updates.

      select
      Confirm roles

    8. The following figure shows the custom role that include three roles:

      select
      Custom roles

  3. Custom role with ACL rules: This option requires category_admin and knowledge_admin roles. It provides the minimal set of permissions.

    1. Go to All > User administration > Roles.

      select
      Select roles

    2. Click New.

      select
      Click the New button

    3. Provide a name and Submit.

      select
      Select a name and submit

    4. Go to System security > Access control (ACL).

      select
      Select access control (ACL)

    5. Click New to create a new ACL rule.

      select
      Click the New button

    6. Repeat the following two steps until you grant access to all required tables.

      1. Use sys_user_role as an example to see how table access is granted.

        select
        Select sys_user_role

      2. Click Submit and select the role.

      The connector needs access to these tables for each entity to run successfully.

Table name Description
incidentShow incidents in search results.
sc_cat_itemShow catalog items in search results.
sc_cat_item_user_criteria_mtomEnforce ACL by accessing catalog item user criteria.
sc_cat_item_user_criteria_no_mtomEnforce ACL by accessing catalog item user criteria.
sc_cat_item_user_mtomEnforce ACL by accessing catalog item user criteria.
sc_cat_item_user_no_mtomEnforce ACL by accessing catalog item user criteria.
kb_knowledgeShow knowledge items in search results.
kb_knowledge_baseShow knowledge base in search results.
kb_uc_can_contribute_mtomEnforce ACL by accessing who can contribute to knowledge base.
kb_uc_can_read_mtomEnforce ACL by accessing knowledge user criteria.
sys_user_roleEnforce ACL by accessing user roles.
sys_user_has_roleEnforce ACL by accessing role information of users.
sys_user_groupEnforce ACL by accessing user group segments.
sys_user_grmemberEnforce ACL by accessing group membership of users.
sys_userEnforce ACL by accessing user table.
core_companyEnforce ACL by accessing company attributes.
cmn_locationEnforce ACL by accessing location attribute.
cmn_departmentEnforce ACL by accessing department attributes.
user_criteriaEnforce ACL by accessing user criteria.

To run successfully, the catalog item entity connector also requires explicit access to all fields of the sc_cat_item table.

To grant and verify the ACL access, do the following:

  1. Grant explicit access by creating a new ACL rule and manually entering sc_cat_item.* in the Name field of the form.

    select
    Enter sc_cat_item.*

  2. Verify that all the ACLs are updated.

  3. Go to sys_security_acl_role_list.do in the search bar.

    select
    Enter sys_security_acl_role_list.do

  4. Select Role with the role that you want to verify.

    select
    Select role to verify

  5. Verify that all the required ACLs are assigned to the role.

Grant role to a user

  1. Go to All > User administration > Users.

    select
    Select users

  2. Find or create a new user.

    select
    Find or create a new user

  3. If no user is available, go to System security > Users and groups > Users.

    select
    Select users

  4. Click New.

    select
    Click the New button

  5. Create a new service account in the user table. Make sure to click Web service access only.

    select
    Click the Web service access only option

  6. Scroll to Roles.

    select
    Navigate to Roles

  7. Click Edit.

    select
    Edit Roles

  8. Grant the role you created and assign it to the user. Based on the type of role you created in the previous step, select the appropriate one and assign it to the user. Click Save.

    select
    Select and assign the role

    OR

    select
    Assign the role and save

  9. View the custom role with ACL.

    select
    Custom role with ACL

  10. Obtain the username and password for the user and click Set password.

    select
    Set password

  11. Auto-generate a password and keep it for later use.

    select
    Auto-generate a password

Create a ServiceNow connector

Console

To use the Google Cloud console to sync data from ServiceNow to Agentspace Enterprise , follow these steps:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for ServiceNow to connect your third-party source.

  5. Enter your ServiceNow authentication information.

    • Instance URI
    • Client ID
    • Client secret
    • User account
    • Password

    select
    ServiceNow authentication information

  6. Fill in a unique name for your data store and click Create.

  7. Select which entities to sync and click Continue.

  8. Select a region for your data connector.

  9. Select a synchronization frequency (daily / every 3 / 5 days).

  10. Click Create. Agentspace Enterprise creates your data store and displays your data stores on the Data stores page.

  11. To check the status of your ingestion, go to the Data stores page and click your data connector name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Depending on the size of your data, ingestion can take several minutes or several hours.

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

  1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

    1. Azure OIDC setup
    2. Azure SAML setup
    3. Okta & OIDC setup
    4. Okta & SAML setup

  2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps