Connecting to ServiceNow

The ServiceNow connector lets you create, synchronize, and manage ServiceNow users, groups, roles, locations, companies, user roles, and group membership within EmpowerID. This topic demonstrates how to configure and use the connector.

Prerequisites:

To connect EmpowerID to ServiceNow, you need a ServiceNow account. You also need the following from ServiceNow to create your Account Store.

  • Username - user name of the System Administrator
  • Password
  • ServiceNow Instance*

*Your ServiceNow instance is part of the URL that you use to log in. It is the bold portion of this example URL:

https:// dev12345.service-now.com/navpage.do

These values authenticate EmpowerID to ServiceNow. You can also configure a Provisioning policy that allows you to automatically provision ServiceNow accounts for certain users. For more information, see Creating a Provisioning Policy for ServiceNow Accounts.

When you connect EmpowerID to ServiceNow and configure your ServiceNow Account Store, the first time you run inventory, EmpowerID discovers all of the users, groups, memberships, roles, locations, companies, and user accounts in ServiceNow and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the ServiceNow connector. For more information about how the values map between ServiceNow and EmpowerID, see the Overview of the ServiceNow Connector.

Connecting EmpowerID to ServiceNow involves the following steps.

To connect EmpowerID to ServiceNow

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the EmpowerID icon, and select Configuration Manager from the menu.
  3. Click Account Stores, and then click the Add New button above the grid.
  4. In the Add New Security Boundary window that opens, select the ServiceNow Security Boundary type and click OK.
  5. In the Account Store Details window that appears, enter these settings.
    1. Account Store Name - ServiceNow
    2. User Name - Your ServiceNow System Administrator's Username
    3. Password - Your ServiceNow System Administrator's Password
    4. ServiceNow Instance - The instance issued by ServiceNow, e.g. dev12345
  6. Click Save. EmpowerID creates the ServiceNow account store and adds a record for it in the Account Stores and Resource Systems grids.
  7. EmpowerID uses these credentials to connect to your ServiceNow account. If they are incorrect, the connection fails and the account store is not created.

  8. Double-click to edit the ServiceNow account store you created. This opens the Account Store Details for the ServiceNow system.

To configure the account store

The Details screen has three panes—a General pane, an Inventory pane, and a Group Membership Reconciliation pane—each with settings for configuring a different aspect of the ServiceNow account store you just created. For more information, expand each drop-down below.

  • General Pane

    Use this pane to configure the Account Store.

    • Account Store Name - The name you gave to the account store. To change it (or any of the settings below), click the Edit button.
    • Resource System Name - The name of the Account Store resource system.
    • Password Manager Policy - The Password Manager policy to use for ServiceNow.
    • Connection Account - The username and password for your ServiceNow account.
    • Credential Proxy - The proxy credentials to use with your ServiceNow account.
    • Resource System Type - The type of resource system from a drop-down list.
    • Maximum Accounts per Person - The maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
    • Icon - The image icon that represents this account store in the EmpowerID user interfaces.
    • Allow Password Sync - Allows or disallows EmpowerID to sync password changes discovered during inventory.
    • Queue Password Changes - Allows or disallows EmpowerID to send password changes to the Account Password Reset Inbox for batch processing.
    • Allow Person Provisioning - Allows or disallows EmpowerID Persons to be created from the user records discovered during inventory.
    • Allow RET Provisioning - Allows or disallows EmpowerID to create new Groups in ServiceNow from requests discovered during inventory.
    • Allow RET De-Provisioning - Allows or disallows EmpowerID to delete Groups in ServiceNow based on requests discovered during inventory.
    • Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the account store.
    • Recertify All Group Changes - Allows or disallows EmpowerID to generate recertification review tasks for all changes in ServiceNow Groups.
  • Inventory Pane

    This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule for the EmpowerID Inventory Job.

    • Inventory Schedule - The time span between complete inventories of the Account Store. The default value is 10 minutes. To change this (and other settings), click the Edit button.
    • Enable Inventory - Allows EmpowerID to inventory the Account Store. The Inventory Job must be enabled for inventory to occur. See below for more information.
    • Inventory Provision Request Workflow - The request workflow to initiate when new groups are discovered during inventory. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Person Join flags described below are ignored.
    • Inventory Provision Request Workflow is not enabled by default and should be used only where customization of the process is required.
    • Allow Automatic Person Provision on Inventory - Allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
    • Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
    • RBAC-Assign Initial Group Membership On First Inventory - This setting pertains to Active Directory account stores only.
    • Re-Inventory - Enabling this option re-inventories all changes.
  • Group Membership Reconciliation Pane

    This pane is used to enable and set the schedule for how often to reconcile group membership for the Account Store.

    • Membership Schedule - The time span between complete inventories of the account store. The default value is 10 minutes. To change this, click the Edit button.
    • Enable This Functionality - Allows or disallows EmpowerID to reconcile group membership for the account store.
Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?

For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Connecting EmpowerID to Active Directory.

  1. In the General pane of the Account Store Details screen, toggle the red sphere to a green check box for each feature that you want to turn on. For example, toggle Allow Person Provisioning to create an EmpowerID Person for each ServiceNow user.
  2. Click the Edit button to the right of other properties to change their values.
  3. In the Inventory pane of the Account Store Details screen, if you enabled Allow Person Provisioning, toggle the Allow Automatic Person Provision On Inventory to create an EmpowerID Person for each new, unique ServiceNow user discovered during inventory.
  4. You can also set a Business Role and Location for the people created from ServiceNow users. To do so, click the Edit button to the right of each line and select a value.
  5. Toggle the button to the left of Enable Inventory from a red sphere to a green check.
  6. Wait several minutes, and click Refresh Data to see the Total Accounts, People, and Groups fields populate in the Inventory pane.
  7. If you allowed provisioning, you can check for new Person objects in the Web UI. To do so, expand System Logs, select Audit Log, and navigate to the Recently Created Objects tab.
  8. If your Person objects are not provisioned, ensure that you have enabled the Account Inbox permanent workflow.