View Source

The ServiceNow connector lets you create, synchronize, and manage ServiceNow users, groups, roles, locations, companies, user roles, and group membership within EmpowerID. This topic demonstrates how to configure and use the connector.

To connect EmpowerID to ServiceNow, you need a ServiceNow account. You also need the following from ServiceNow to create your Account Store.

Username - user name of the System Administrator
Password
ServiceNow Instance*

*Your ServiceNow instance is part of the URL that you use to log in. It is the bold portion of this example URL:

https:// dev12345.service-now.com/navpage.do

These values authenticate EmpowerID to ServiceNow. You can also configure a Provisioning policy that allows you to automatically provision ServiceNow accounts for certain users. For more information, see Creating a Provisioning Policy for ServiceNow Accounts.

When you connect EmpowerID to ServiceNow and configure your ServiceNow Account Store, the first time you run inventory, EmpowerID discovers all of the users, groups, memberships, roles, locations, companies, and user accounts in ServiceNow and creates them in the EmpowerID data warehouse. Subsequent inventory runs update any changes occurring since the LastTimeStamp value tracked by the ServiceNow connector. For more information about how the values map between ServiceNow and EmpowerID, expand the section below.

The ServiceNow Connector lets you manage ServiceNow Users, Groups, Roles, Locations, Companies, User Roles, and Group Membership within EmpowerID.

Supported Features

With the EmpowerID ServiceNow Connector, you can manage all of the following functions in ServiceNow.

Account Management

Inventory ServiceNow Users as EmpowerID Accounts
Create, update, and delete Users
Enable, disable, and change passwords of Users

Group Management

Inventory ServiceNow Groups as EmpowerID Groups
Inventory ServiceNow Group memberships as EmpowerID GroupAccounts
Create, update, and delete Groups
Add and remove members of Groups

Locations and Companies

Inventory ServiceNow Locations and Companies in the Locations as EmpowerID ExternalOrgZones

Roles

Inventory ServiceNow Roles as EmpowerID ExternalOrgRoles

Authentication

The ServiceNow connector uses basic authentication, which takes a username and password. Be sure to use an administrator account for authentication.

Account Attributes

EmpowerID inventories Users in ServiceNow as Accounts in EmpowerID. Here is the attribute mapping of ServiceNow User attributes to EmpowerID Account attributes.

ServiceNow Attribute	ServiceNow Table	EmpowerID Attribute	Description
name	User	Name	Name of the user
first_name	User	FirstName	First name of the user
last_name	User	LastName	Last name of the user
middle_name	User	MiddleName	Middle name of the user
user_name	User	LogonName	User name of the user
sys_id	User	SystemIdentifier	Unique system identifier of the user
phone	User	Telephone	Phone number of the user
mobile_phone	User	MobileNumber	Mobile number of the user
home_phone	User	HomePhone	Home phone number of the user
gender	User	Gender	Gender of the user
email	User	Email	Email of the user
preferred_language	User
active	User	Active	Indicates whether the user is active
street	User	StreetAddress	Street of the user
city	User	City	City of the user
zip	User	ZipCode	Zip code of the user
state	User	State	State of the user
country	User	Country	Country of the user
title	User	JobTitle	Title of the user
manager	User	ManagerAccountID	Manager of the user
employee_number	User	EmployeeID	Employee number of the user
locked_out	User	LockedOut	Indicates whether the user is locked out
last_login	User	LastLogonTime	Last login time stamp for the user
password_needs_reset	User	MustChangePasswordAtNextLogon	Indicates whether the user needs to reset the password
name (department name)	Department	Department	Department name of the user
sys_id	Department	DepartmentNumber	Department ID of the user
name (company name)	Company	Company	Company name of the user
name (location name)	Location	Location	Location of the user

Group Attributes

EmpowerID inventories Groups in ServiceNow as Groups in EmpowerID. Here is the attribute mapping of ServiceNow Group attributes to EmpowerID Group attributes.

ServiceNow Attribute	ServiceNow Table	EmpowerID Attribute	Description
name	Group	Name	Name of the group
email	Group	Email	Email of the group
description	Group	Description	Description of the group
active	Group	Active	Active status of the group
sys_id	Group	SystemIdentifier	Unique identifier of the group

Role Attributes

EmpowerID inventories Roles in ServiceNow as ExternalOrgRoles in EmpowerID. Here is the attribute mapping of ServiceNow Role attributes to EmpowerID ExternalOrgRoles attributes.

ServiceNow Attribute	ServiceNow Table	EmpowerID Attribute	Description
name	Role	Name	Name of the role
sys_id	Role	SystemIdentifier	Unique identifier of the role
description	Role	Description	Description of the role

Location/Company Attributes

EmpowerID inventories Locations in ServiceNow, along with Companies located in those locations, as ExternalOrgZones in EmpowerID. Here is the attribute mapping of ServiceNow Location attributes to EmpowerID ExternalOrgZones attributes.

ServiceNow Attribute	ServiceNow Table	EmpowerID Attribute	Description
name (company_name)	Location (Company)	Name	Name of the location along with the name of the company in that location
parent	Location	ParentID	Parent of the location
L=sys_id;CO=sys_id	Location/Company	SystemIdentifier format: L="location_sys_id";CO="company_sys_id"	System identifiers of the location and company respectively

Group Membership

With the ServiceNow connector, you can have EmpowerID inventory Group memberships from the GroupAccount table. You can also add members to groups and remove members from groups in either EmpowerID or ServiceNow, and the changes will propagate to the other system on the next inventory.

User Role and Location Mapping

EmpowerID stores User Roles along with their corresponding Locations and Companies in the EmpowerID AccountExternalOrgRoleOrgZone table.

Tasks

The ServiceNow connector provides the functionality to create, update, and close ServiceNow Tasks. ServiceNow tasks can be of any type including ticket, incident, change request, and problem.

Inventory

The ServiceNow connector supports two types of inventory functionality.

Incremental Inventory: Keeps track of the inventory run's LastTimeStamp, and brings in only users and groups updated after that time.
Full Inventory: Inventories every user and group every time it runs.

To create an account store for ServiceNow via the web site

In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
Click the Actions tab, and then click the Create Account Store action.
Select ServiceNow from the list of System types and click Submit.
On the ServiceNow Settings page that appears, enter settings to connect to your ServiceNow instance to allow EmpowerID to discover and connect to it.
1. In the Name and Display Name fields, enter a name for the ServiceNow account store.
2. User Name - Your ServiceNow System Administrator's Username
3. Password - Your ServiceNow System Administrator's Password
4. ServiceNow Instance - The instance issued by ServiceNow, e.g. dev12345
5. Click Submit.
The Account Store and associated Resource System are created and appear in both the web application and in the Management Console.

To edit account store settings on the web

In the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
On the Account Stores tab, search for the account store you just created and click the link to go to its details page.
On the Account Store Details page, click the Edit button or the name of the account store.
In the edit view of the page, you can edit values in any of the enabled fields. In the General section, these are:
- Option 1 Specify an Account Proxy — Change the instance, user name, and password for the ServiceNow connection.
- Option 2 Select a Vaulted Credential as Account Proxy — Click in this box and press Enter to see a list of shared credentials in your system to use for the proxy connection.
- Inventoried Directory Server — Select the directory to inventory.
- Is Remote (Cloud Gateway Connection Required) — Select if you use the EmpowerID Cloud Gateway.
In the Authentication and Password Settings section, you can select any of these values:
- Use for Authentication — Select to enable pass-through authentication.
- Allow Search for User Name in Authentication — Select to enable simple user name search, that is, without specifying the domain\username, for pass-through authentication. (This can cause delays if you have a great many domains and a huge number of users.)
- Allow Password Sync — Toggle to allow EmpowerID to sync password changes discovered during inventory.
- Queue Password Changes — Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
- Password Manager Policy for Accounts without Person — Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.
In the Provisioning Settings section, you can select any of these values:
- Allow Person Provisioning (Joiner Source) — Toggle to allow EmpowerID to create Person objects from the user records discovered during inventory.
- Allow Attribute Flow — Toggle to allow attribute changes to flow between EmpowerID and the account store.
- Allow Provisioning (By RET) — Toggle to allow EmpowerID to create new Groups in ServiceNow from requests discovered during inventory.
- Allow Deprovisioning (By RET) — Toggle to allow EmpowerID to delete Groups in ServiceNow based on requests discovered during inventory.
- Default User Creation Path — Select a location in which to create users if none is specified.
- Default Group Creation Path — Select a location in which to create groups if none is specified.
- EmpowerID Group Creation Path — Select a location in which to create EmpowerID groups if none is specified.
- Max Accounts per Person — Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
- Allow Account Creation on Membership Request — Toggle to allow users without accounts to request group membership and automatically have an account created.
- Recertify All Group Changes as Detected — Toggle to allow EmpowerID to generate recertification review tasks for all changes in ServiceNow Groups.
- Allow Business Role and Location Re-Evaluation — Toggle if you have multiple account stores to manage and want to specify a priority for each.
- Business Role and Location Re-Evaluation Order — Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
- Default Person Business Role — Set a default Business Role to assign people if none is specified.
- Default Person Location — Set a default Location to assign people if none is specified.
In the Special Use Settings section, you can select any of these values:
- RBAC Assign Group Members On First Inventory - This setting pertains to Active Directory account stores only.
- Automatically Join Account to a Person On Inventory (Skip Account Inbox) — Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
- Automatically Create a Person On Inventory (Skip Account Inbox) — Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by theCustom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
- Show in Tree — Toggle to show the account store in the Locations tree.
- Queue Password Changes on Failure — Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
- Use Secure LDAPS Binding — Toggle to bind accounts with encryption.
In the Naming Fields section, you can set these values:
- Application ID — If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
- Tenant ID — Enter the Tenant ID, if supplied by the connection account. (AWS uses this.)
On the Inventory tab, you can set the inventory schedule, and then select Inventory Enabled when it is set up to your satisfaction. By default, inventory runs every ten minutes.
When you have finished editing, click Save.

To turn on inventory on the web

In the Management Console, you configured the settings in the Account Store Details, but on the web, these settings are found on the associated Resource System.

From the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
Select the Resource System tab, search for ServiceNow, and click the link under Display Name to open the details.

On the Resource System Info tab for ServiceNow, there are three sections that you can optionally configure:

Run Job Now — Once you configure the system, this is where you can run any associated job in the moment for testing purposes.
General — This is where you can edit basic information about the account store. Click ServiceNow or the Edit button to edit.

Configuration Parameters— Expand this accordion to view the grid of parameters associated with the account store. Click the Edit button to the left of a parameter to edit it.

If you make changes to the configuration parameters, do NOT change the Name. This is how EmpowerID connects what you enter in the Value field to the correct part of the code, so if you change the Name, the parameter does not work.

EmpowerID 2018 Documentation > ServiceNow > config-params.png

Click the Server Jobs tab, where there are a number of settings that you must configure in order to run inventory for the account store. It contains five sections:
- Inventory Enabled — This is where, after you have everything configured to your satisfaction, you enable inventory on the system. Select the Inventory Enabled checkbox to enable it.
- Enforcement —

To connect EmpowerID to ServiceNow in the Management Console

Log in to the EmpowerID Management Console as an administrator.
Click the EmpowerID icon, and select Configuration Manager from the menu.
Click Account Stores, and then click the Add New button above the grid.
In the Add New Security Boundary window that opens, select the ServiceNow Security Boundary type and click OK.
In the Account Store Details window that appears, enter these settings.
1. Account Store Name - ServiceNow
2. User Name - Your ServiceNow System Administrator's Username
3. Password - Your ServiceNow System Administrator's Password
4. ServiceNow Instance - The instance issued by ServiceNow, e.g. dev12345
Click Save. EmpowerID creates the ServiceNow account store and adds a record for it in the Account Stores and Resource Systems grids.
EmpowerID uses these credentials to connect to your ServiceNow account. If they are incorrect, the connection fails and the account store is not created.
Double-click to edit the ServiceNow account store you created. This opens the Account Store Details for the ServiceNow system.

To configure the account store

The Details screen has three panes—a General pane, an Inventory pane, and a Group Membership Reconciliation pane—each with settings for configuring a different aspect of the ServiceNow account store you just created. For more information, expand each drop-down below.

Use this pane to configure the Account Store.

EmpowerID 2018 Documentation > ServiceNow > emc_servicenowaccountstoresettings.png

Account Store Name - The name you gave to the account store. To change it (or any of the settings below), click the Edit button.
Resource System Name - The name of the Account Store resource system.
Password Manager Policy - The Password Manager policy to use for ServiceNow.
Connection Account - The username and password for your ServiceNow account.
Credential Proxy - The proxy credentials to use with your ServiceNow account.
Resource System Type - The type of resource system from a drop-down list.
Maximum Accounts per Person - The maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
Icon - The image icon that represents this account store in the EmpowerID user interfaces.
Allow Password Sync - Allows or disallows EmpowerID to sync password changes discovered during inventory.
Queue Password Changes - Allows or disallows EmpowerID to send password changes to the Account Password Reset Inbox for batch processing.
Allow Person Provisioning - Allows or disallows EmpowerID Persons to be created from the user records discovered during inventory.
Allow RET Provisioning - Allows or disallows EmpowerID to create new Groups in ServiceNow from requests discovered during inventory.
Allow RET De-Provisioning - Allows or disallows EmpowerID to delete Groups in ServiceNow based on requests discovered during inventory.
Allow Create Account On Membership Request — Select to allow users without accounts to request group membership and automatically have an account created.
Enable Attribute Flow - Allows or disallows attribute changes to flow between EmpowerID and the account store.
Recertify All Group Changes - Allows or disallows EmpowerID to generate recertification review tasks for all changes in ServiceNow Groups.

Use this pane to enable or disable inventory of the Account Store and to set the run schedule for the EmpowerID Inventory Job.

EmpowerID 2018 Documentation > ServiceNow > emc_servicenowaccountstoredetails_inventorypane.png

Inventory Schedule - The time span between complete inventories of the Account Store. The default value is 10 minutes. To change this (and other settings), click the Edit button.
Enable Inventory - Allows EmpowerID to inventory the Account Store. The Inventory Job must be enabled for inventory to occur. See below for more information.
Inventory Provision Request Workflow - The request workflow to initiate when new groups are discovered during inventory. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Person Join flags described below are ignored.

Inventory Provision Request Workflow is not enabled by default and should be used only where customization of the process is required.

Allow Automatic Person Provision on Inventory - Allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by theCustom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by theCustom_Account_InventoryInboxJoinBulk SQL stored procedure.
RBAC-Assign Initial Group Membership On First Inventory - This setting pertains to Active Directory account stores only.
Re-Inventory - Enabling this option re-inventories all changes.

Use this pane to enable and set the schedule for how often to reconcile group membership for the Account Store.

EmpowerID 2018 Documentation > ServiceNow > emc_servicenowgroupmembershipreconciliation.png

Membership Schedule - The time span between complete inventories of the account store. The default value is 10 minutes. To change this, click the Edit button.
Enable This Functionality - Allows or disallows EmpowerID to reconcile group membership for the account store.

Before configuring EmpowerID to manage the account store, you should determine whether you want EmpowerID to provision Person objects from the user records it discovers in the account store. If so, answer the following questions before turning on inventory.

When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
How many user accounts can one Person have in the account store?
If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?

For a greater discussion of these points within the context of connecting EmpowerID to an account store, see Active Directory.

In the General pane of the Account Store Details screen, toggle the red sphere to a green check box for each feature that you want to turn on. For example, toggle Allow Person Provisioning to create an EmpowerID Person for each ServiceNow user.
Click the Edit button to the right of other properties to change their values.
In the Inventory pane of the Account Store Details screen, if you enabled Allow Person Provisioning, toggle the Allow Automatic Person Provision On Inventory to create an EmpowerID Person for each new, unique ServiceNow user discovered during inventory.
You can also set a Business Role and Location for the people created from ServiceNow users. To do so, click theEdit button to the right of each line and select a value.
Toggle the button to the left of Enable Inventory from a red sphere to a green check.
Wait several minutes, and click Refresh Data to see the Total Accounts, People, and Groups fields populate in the Inventory pane.
If you allowed provisioning, you can check for new Person objects in the Web UI. To do so, expand System Logs, select Audit Log, and navigate to the Recently Created Objects tab.
If your Person objects are not provisioned, ensure that you have enabled the Account Inbox permanent workflow.