Connect ServiceNow

This page describes how to connect ServiceNow to Agentspace Enterprise.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Before you begin

Before setting up your connection, ensure you have the following in place:

  1. ServiceNow instance: Create a ServiceNow instance by following the instructions on the ServiceNow Developer documentation.
  2. Google Cloud project: Set up a Google Cloud project with an administrator account capable of managing organization-level configurations, ensuring the organization can set up a workforce pool.

  3. Workforce pool: Make sure your organization is set up to manage a workforce pool.

Set up ServiceNow

ServiceNow offers two primary sites:

  1. Main ServiceNow site: The site for your ServiceNow instance.

    • Manages users, groups, and system administration tasks.
    • URL: The URL for your ServiceNow instance.
    • Sign in using your administrator credentials.
  2. Developer site:

    • Configures the knowledge base, sets up workflows, and develops custom applications.
    • URL: https://developer.service-now.com.
    • Sign in using your ServiceNow ID.

To create an OAuth endpoint, do the following:

  1. Sign into the main ServiceNow instance with an administrator role.
  2. Navigate to All > System OAuth > Application registry.

    select
    Select application registry

  3. Click New.

    select
    Click the New button

  4. Click Create an OAuth API endpoint for external clients.

    select
    Select the option to create an OAuth API endpoint for external clients

  5. Fill in the required fields:

    1. Name: Enter a Unique name.
    2. Redirect URL: Enter the redirect URL: https://vertexaisearch.cloud.google.com/console/oauth/servicenow_oauth.html
  6. Click Submit to create the credential.

    select
    Enter the redirect URL

  7. After submission, click the name to view the Client ID.

    select
    View the client ID

  8. The secret is masked. Click the lock icon next to it to unmask and view client secret.

    select
    Click the lock icon

  9. Save the Client ID and Client secret for later use.

    select
    Copy the client ID and client secret

To retrieve ServiceNow instance credentials, do the following:

  1. Go to developer.service-now.com and click Manage instance password.

    select
    Click the Manage instance password button

  2. Keep a copy of the instance URL, username, and password to use when required.

At this stage, all five pieces of information needed to set up a ServiceNow data store are available. If there are no concerns with using the administrator role to pull data, proceed to creating a data store.

Set up administrator roles and permissions

Elevate the administrator role to security_admin to manage users and roles.

  1. Click your profile icon and then select Elevate role.

    select
    Click the Elevate role button

  2. Select security_admin and then click Update. The security_admin role helps to create roles and manage users.

    select
    Select the security_admin role and then click the Update button

Set up user roles and permissions

Choose one of the following options to give users the roles and permissions that they need to set up a data store in Google Cloud. Each option provides the required access to your instance.

Create a custom role with ACL rules (Recommended)

Create a custom role with the minimum set of permissions.

  1. Go to All > User administration > Roles.

    select
    Select roles

  2. Click New.

    select
    Click the New button

  3. Provide a name and Submit.

    select
    Select a name and submit

  4. Go to System security > Access control (ACL).

    select
    Select access control (ACL)

  5. Click New to create a new ACL rule.

    select
    Click the New button

  6. Repeat the following two steps until you grant access to all required tables.

    1. Use sys_user_role as an example to see how table access is granted.

      select
      Select sys_user_role

    2. Click Submit and select the role.

Required tables

The connector needs access to these tables for each entity to run.

Table name Description

incident

Show incidents in search results.

sc_cat_item

Show catalog items in search results.

sc_cat_item_user_criteria_mtom

Show users who can access catalog items based on user criteria.

sc_cat_item_user_criteria_no_mtom

Show users who can't access catalog items based on user criteria.

sc_cat_item_user_mtom

Show which users can access catalog items.

sc_cat_item_user_no_mtom

Show users who can't access catalog items.

kb_knowledge

The list of knowledge articles that can be shown in search results.

kb_knowledge_base

The list of knowledge bases that can be shown in search results.

kb_uc_can_contribute_mtom

Show who can contribute to knowledge bases based on user criteria.

kb_uc_can_read_mtom

Show who can read knowledge bases based on user criteria.

kb_uc_cannot_read_mtom

Show who can't read knowledge bases based on user criteria.

sys_user_role

List of roles that can be assigned to users.

sys_user_has_role

List of roles mapped to the users.

sys_user_group

List of user group segments.

sys_user_grmember

List of group members for groups.

sys_user

List of all users.

core_company

List of all company attributes.

cmn_location

List of all location attributes.

cmn_department

List of all department attributes.

user_criteria

List of user criteria records.

sp_portal

Link portal URI in search results.

m2m_sp_portal_knowledge_base

Link portal URI for knowledge articles in search results.

m2m_sp_portal_catalog

Link portal URI for catalog items in search results.

Grant and verify ACL access

The connector requires ACL access to the catalog item fields of the sc_cat_item table.

To grant and verify access, do the following:

  1. Grant explicit access by creating a new ACL rule and manually entering sc_cat_item.* in the Name field of the form.

    select
    Enter sc_cat_item.*

  2. Verify that the ACLs are updated.

  3. Go to sys_security_acl_role_list.do in the search bar.

    select
    Enter sys_security_acl_role_list.do

  4. Set Role to the role that you want to verify.

    select
    Select role to verify

  5. Verify that the required ACLs are assigned to the role.

Use a custom role with entity administrators

Using the administrator role may not suit teams or organizations that want to avoid assigning overly powerful permissions. This option provides a role with three specific permissions that grant the required access.

  1. Go to All > System security > Users and groups > Roles.

    select
    Add roles

  2. Select New, enter a name.

    select
    Click the New button

  3. Click Submit.

    select
    Click the Submit button

  4. Find the created role in the list.

    select
    Search using the role name and click the role

  5. Navigate to Contains roles > Edit.

    select
    Click the Edit button

  6. Add the following roles to the newly created role, and then click Save.

    • catalog_admin
    • knowledge_admin
    • incident_manager

    select
    Add roles and click the Save button

  7. Confirm updates.

    select
    Confirm roles

  8. The following figure shows the custom role that includes three roles:

    select
    Custom roles

Use an administrator role

You can use an administrator role to pull data. Use the default administrator role configured with the instance, or create a new user with an administrator role by doing the following:

  1. Go to All > User administration > Users.

    select
    Select users

  2. Create a new user with a name.

    select
    Select username

  3. Enable Web service access only. When you select Web service access only, you create a non-interactive user.

    Interactive users vs. non-interactive users: Interactive users can sign in to the ServiceNow UI or service portal using their username and password. They can access an instance through a URL that points to a UI page, form, or list. They can also connect using single sign-on methods such as digest authentication or security assertion markup language (SAML). Additionally, they can use their credentials to authorize SOAP connections if permitted by strict security settings, and they have unrestricted access to other API connections such as WSDL, JSON, XML, or XSD.

    Whereas, non-interactive users can only use their credentials to authorize API connections like JSON, SOAP, and WSDL. They can't sign in to the ServiceNow UI and can only access the instance through API protocols.

  4. After user creation, select the user from the users list.

    select
    Pick a user

  5. Click Roles > Edit.

    select
    Edit roles

  6. Add Admin.

  7. Click Save to add a list of roles to the user.

    select
    Add list of roles to the user

  8. Click Set password, auto-generate, and save it.

    select
    Set password

Grant role to a user

  1. Go to All > User administration > Users.

    select
    Select users

  2. Find or create a new user.

    select
    Find or create a new user

  3. If no user is available, go to System security > Users and groups > Users.

    select
    Select users

  4. Click New.

    select
    Click the New button

  5. Create a new service account in the user table. Make sure to click Web service access only.

    select
    Click the Web service access only option

  6. Scroll to Roles.

    select
    Navigate to Roles

  7. Click Edit.

    select
    Edit Roles

  8. Grant the role you created and assign it to the user. Based on the type of role you created in the previous step, select the appropriate one and assign it to the user. Click Save.

    select
    Select and assign the role

    OR

    select
    Assign the role and save

  9. View the custom role with ACL.

    select
    Custom role with ACL

  10. Obtain the username and password for the user and click Set password.

    select
    Set password

  11. Auto-generate a password and keep it for later use.

    select
    Auto-generate a password

Create a ServiceNow connector

Console

To use the Google Cloud console to sync data from ServiceNow to Agentspace Enterprise , follow these steps:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for ServiceNow to connect your third-party source.

  5. Enter your ServiceNow authentication information.

    • Instance URI
    • Client ID
    • Client secret
    • User account
    • Password

    select
    ServiceNow authentication information

  6. Fill in a unique name for your data store and click Create.

  7. Select which entities to sync and click Continue.

  8. Select the Sync frequency for Full sync and the Incremental sync frequency for Incremental data sync. For more information, see Sync frequency.

    If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options.

    Custom options for full data sync.
    Setting separate schedules for full entity sync and full identity sync.
  9. Select a region for your data connector.

  10. Click Create. Agentspace Enterprise creates your data store and displays your data stores on the Data stores page.

  11. To check the status of your ingestion, go to the Data stores page and click your data connector name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Depending on the size of your data, ingestion can take several minutes or several hours.

Configure the workforce pool

The workforce pool lets you to manage and authenticate users from external identity providers, such as Azure or Okta, within Google Cloud console. To configure your workforce pool and enable the web app for seamless user access, do the following:

  1. Create workforce pool at the organization level in Google Cloud by following the appropriate setup manual:

    1. Azure OIDC setup
    2. Azure SAML setup
    3. Okta & OIDC setup
    4. Okta & SAML setup
  2. Configure the workforce pool in Agentspace > Settings for the region where you create your app.

Next steps