# ServiceNow Veza administrators can configure ServiceNow as a destination for Workflow events, to create tickets when rows are rejected by reviewers. Using the information from Veza, another team can follow up on a decision, and stakeholders can get additional visibility into certification progress. #### Prerequisites and Capabilities * You will need administrator access to your ServiceNow instance to create a service account. This account requires permission to create incidents. The integration will not make any other changes or delete tickets. * Any table (including custom tables) can be set as the ticket destination. The target table must include `short_description` and `description` columns. For alert and access review notifications, the `comments` column is also required. Tables that extend ServiceNow's `task` table include all required columns by default. * The Veza-ServiceNow Veza Action is maintained for the current ServiceNow version (`San Diego`). However, it should be compatible with earlier versions if the following API calls are available: * GET `/api/now/table/{table_name}/short_description=xxx` * POST `/api/now/table/{table_name}` * The integration supports [Assignment Groups](https://docs.servicenow.com/bundle/quebec-employee-service-management/page/product/universal-request/task/ur-create-grp-service.html) to automatically route tickets to specific teams when configured in the Veza Action settings. ### Create a ServiceNow API user Before adding the Veza Action to Veza, you will need to connect to ServiceNow to create an API User (service account) to create the ticket as 1. Navigate to `https://.service-now.com` and log in with an account that has the `user_admin` role. 2. In the left navigation pane, expand **User Management** and click *Users*. 3. At the top of the main pane, click *New*. 4. Ensure that `Web service access only` is checked to only allow API calls for the account, and prevent UI access. 5. Check `Internal Integration User` to mark the user as a service account. 6. Make note of the `user ID` and `password` values. 7. To allow the service account to create incidents, open the user *roles* tab, click *edit* and find the `sn_incident_write` role collection. Add it to the roles list and click *Save*. > **Note:** The `sn_incident_write` role grants write access specifically to the `incident` table. If your Veza Action targets a different table (such as a custom table or `change_request`), the service account needs the appropriate write permissions for that table instead. The `sn_incident_write` role is part of the ITSM Roles plugin, which may not be available by default. If you cannot find the role, contact your ServiceNow account manager to have the ITSM Roles plugin activated for your instance. > > If the connection test fails or Veza cannot create tickets after adding `sn_incident_write`, also add the `snc_platform_rest_api_access` role. This role grants access to the ServiceNow REST Table API and may be required depending on your instance configuration. For more information, see [Create A User (Service Now)](https://docs.servicenow.com/bundle/vancouver-platform-administration/page/administer/users-and-groups/task/t_CreateAUser.html). ### Add a ServiceNow Veza Action in Veza 1. Browse to **Integrations** > *Veza Actions* > *Add Veza Action* 2. Click *ServiceNow* and click *Next*. 3. Fill out the required fields: | Field | Description | | ---------------------- | ----------------------------------------------------------------------------------------------------------- | | Name | Short name to display in the Veza UI | | Host | ServiceNow host URL | | Credentials Type | Choose **Basic Auth** or **OAuth 2.0** (see below) | | Username | Service account username (Basic Auth only) | | Password | Service account password (Basic Auth only) | | OAuth Client ID | Client ID from the ServiceNow OAuth application registry (OAuth 2.0 only) | | OAuth Client Secret | Client secret from the ServiceNow OAuth application registry (OAuth 2.0 only) | | OAuth User Identifier | Username of the ServiceNow service account the JWT is issued on behalf of (OAuth 2.0 only) | | OAuth Private Key File | RSA private key file (PEM format) corresponding to the public key registered in ServiceNow (OAuth 2.0 only) | | OAuth Key Password | Password for the private key, if the key is encrypted (OAuth 2.0 only, optional) | | Ticket Table | ServiceNow ticket table to send notifications | | Category | Category to create the ticket under (optional) | | Sub-category | Optional ticket sub-category | | Urgency | Optional urgency to assign tickets | | Assignment Group | ServiceNow assignment group to route tickets to a specific team (optional) | | Configuration Item | ServiceNow Configuration Item (CMDB CI) to associate with tickets for asset tracking (optional) | #### Basic Auth Provide the **Username** and **Password** of the service account created above. #### OAuth 2.0 ServiceNow Veza Actions support OAuth 2.0 as an alternative to Basic Auth. When configured with OAuth 2.0, Veza uses the JWT Bearer grant type: it generates a short-lived signed JWT and exchanges it for a Bearer token at `/oauth_token.do`. No user password is stored in Veza. Before configuring OAuth 2.0 in Veza, set up the OAuth application registry in ServiceNow: 1. In ServiceNow, navigate to **System OAuth** > **Application Registry** and click **New**. 2. Select **Create an OAuth JWT API endpoint for external clients**. 3. Set **Name** and save. ServiceNow auto-generates the **Client ID** and **Client Secret** — record both values, as you will enter them in Veza. 4. Import the public key certificate: navigate to **System Security** > **Certificates**, click **New**, set type to **PEM Certificate**, paste the contents of the `.crt` file, and save. 5. Back in the Application Registry record, scroll to the **JWT Verifier Maps** related list, click **New**, set **Name** (any label), set **Certificate** to the record created in the previous step, and save. 6. On the Application Registry record, set **User Field** to the field that matches the value you will enter in Veza's **OAuth User Identifier** field. If you are providing the ServiceNow username, select **User name**. Then fill out the OAuth 2.0 fields in the Veza form (see table above). The **OAuth User Identifier** is the ServiceNow username of the service account created in [Create a ServiceNow API user](#create-a-servicenow-api-user). Veza derives the token endpoint automatically from the **Host** value. Click *Next* to test and create the Veza Action. ### Setting ServiceNow as an alert destination Any ServiceNow Veza Action you create can be used within Access Reviews to create tickets when access is rejected by a reviewer. To add ServiceNow alerts to an existing review configuration: 1. Find the configuration on the **Access Reviews** > **Configurations** page. 2. Click on a configuration name to view details. 3. Click **Edit** to open the configuration builder. 4. Scroll down to the **Veza Actions** section. 5. Check the **Reject Row** box and choose the ServiceNow Veza Action from the dropdown menu. 6. Click **Update Configuration** to save the changes. Administrators and operators can add ServiceNow actions for an individual access review: 1. On the **Access Reviews** > **Reviews** page, click a review name to open it. 2. Click the icon to the right of the sign-off actions to open the review details sidebar. 3. In the sidebar, click **Veza Actions**. 4. In the Veza Actions modal, check the **Reject Row** box and use the dropdown menu to pick an action. For access reviews with a ServiceNow Veza Action enabled, users can show or hide additional columns with Veza Action status details for signed-off and rejected rows: * *Notification Details*, which you can click to view the ticket ID * *Notification Status*, which can be `PENDING`, `SUCCESS`, or `FAILED` See [Access Reviews: Veza Actions](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/veza-actions.md) for more details. ### Advanced Configuration #### Assignment Groups Assignment Groups allow you to automatically route tickets created by Veza to specific teams in ServiceNow. When configured, new tickets will be assigned to the specified group, enabling automatic workflow routing and team notifications within ServiceNow. To use Assignment Groups: 1. Identify the Assignment Group name or sys\_id in your ServiceNow instance 2. Enter the value in the **Assignment Group** field when creating or editing the Veza Action 3. Tickets created by Veza will automatically be assigned to this group #### Configuration Items (CMDB) Configuration Items (CIs) from the ServiceNow Configuration Management Database (CMDB) can be associated with tickets to link access-related incidents to specific assets or systems. This is useful for tracking which systems or applications are involved in access reviews or remediation. To use Configuration Items: 1. Identify the Configuration Item name or sys\_id in your ServiceNow CMDB 2. Enter the value in the **Configuration Item** field when creating or editing the Veza Action 3. Tickets will be linked to this CI for asset tracking and impact analysis #### Table requirements Veza writes to the following ServiceNow columns when creating tickets via `POST /api/now/table/{table_name}`. The columns used depend on which Veza feature triggers the notification: | Column | Remediation | Alert rules | Access Reviews | Source | | ------------------- | :-----------------------------------------------------------: | :-----------------------------------------------------------------------: | :----------------------------: | ----------------------- | | `short_description` | \[Veza Action] : | \[Veza Alert - ] | Workflow name + timestamp | Always written | | `description` | Human-readable summary with query details, severity, and link | Human-readable summary with rule details, severity, query info, and links | Human-readable action message | Always written | | `comments` | *Not set* | Full JSON alert payload | JSON with rejected row details | Alerts and reviews only | | `urgency` | If configured | If configured | If configured | Veza Action settings | | `category` | If configured | If configured | If configured | Veza Action settings | | `subcategory` | If configured | If configured | If configured | Veza Action settings | | `assignment_group` | If configured | If configured | If configured | Veza Action settings | | `cmdb_ci` | If configured | If configured | If configured | Veza Action settings | **Requirements for the target table:** * The target table must have at minimum the `short_description` and `description` columns. * For alert rules and access reviews, the table must also support the `comments` column. * Any table extending ServiceNow's built-in `task` table (such as `incident`, `change_request`, or `problem`) includes all required columns. * Custom tables that do not extend `task` must include the expected columns. * The service account must have write permissions on the target table. See [Create a ServiceNow API user](#create-a-servicenow-api-user) for role details. ### Example notifications The content of each ServiceNow ticket depends on which Veza feature triggered it. Below are examples of the short description and description fields for each supported message type. #### Remediation (query) When a user remediates a risky query, Veza creates a ticket like: **Short Description**: `[Veza Action] Medium Severity: AWS IAM Roles with S3 update permissions` **Description** (plain text): ```txt The query "AWS IAM Roles with S3 update permissions" returned 12 results. Severity: Medium Triggered By: Jane Smith Triggered Time: Apr 17, 2026, 2:21:00 PM UTC Query Name: AWS IAM Roles with S3 update permissions Query Source: AwsIamRole Query Destination: S3Bucket Query Link: https://your-tenant.veza.cloud/app/assessments/f300f690-91c9-4bfd-bd71-eeb399fdce82 Notes: Please review and remove unused permissions by end of sprint. Please note that you must authenticate to the Veza platform to access the link. If you have any trouble accessing the link, please contact your Veza administrator. ``` #### Remediation (dashboard) When a user remediates from a dashboard, the description references the dashboard instead: **Short Description**: `[Veza Action] AWS Access Risk Dashboard` **Description** (plain text): ```txt The dashboard "AWS Access Risk Dashboard" triggered a remediation action. Triggered By: Jane Smith Triggered Time: Apr 17, 2026, 2:21:00 PM UTC Dashboard Name: AWS Access Risk Dashboard Dashboard Link: https://your-tenant.veza.cloud/assessments/reports/def456 Notes: Q1 review — escalate any critical findings. Please note that you must authenticate to the Veza platform to access the link. If you have any trouble accessing the link, please contact your Veza administrator. ``` #### Alert rule When an alert rule fires with a ServiceNow Veza Action as the delivery destination, Veza creates a ticket with a summary in the short description and description fields, and the full alert payload as JSON in the comments field: **Short Description**: `[Veza Alert - Low] slack rule 5` **Description** (plain text): ```txt This alert was triggered because the query AWS IAM Roles with S3 update permissions returned 12 results, which exceeded the threshold of 2 Rule Name : slack rule 5 Severity : low Time Triggered : Apr 17, 2026, 2:13:36 PM UTC Query Name : AWS IAM Roles with S3 update permissions Query Source : AWS IAM Role Query Destination : S3 Bucket Review Query Results : https://your-tenant.veza.cloud/app/assessments/f300f690-91c9-4bfd-bd71-eeb399fdce82 What triggered this alert? See full alert details in Veza: https://your-tenant.veza.cloud/app/alerts?rule=019d9bc9-19d3-7942-98d0-6da76182baa6&alert_id=019d9bca-3fe5-769a-bfb3-9c8cf30c6ee3 ``` **Comments**: A JSON object containing the full alert details, matching the [webhook payload structure](/4yItIzMvkpAvMVFAamTf/administration/administration/notifications/destinations/webhooks.md#webhook-payloads). This JSON payload is preserved for programmatic use and ServiceNow workflow integrations. {% hint style="info" %} The alert JSON payload in the comments field uses the same structure as [webhook alert payloads](/4yItIzMvkpAvMVFAamTf/administration/administration/notifications/destinations/webhooks.md#alerts). To parse the alert details in ServiceNow workflows, use the JSON in the comments field. The `cluster_url` field contains a direct link to the alert in Veza. {% endhint %} #### Access Review (rejected row) When a rejected row is signed off in an Access Review with a ServiceNow Veza Action enabled, Veza creates a ticket with the review and entity details. The ticket content includes the review name, decision, and entity information. {% hint style="info" %} Remediation notifications use a fixed plain text format. Alert notifications include a JSON payload in the comments field. Neither format is customizable. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/notifications/destinations/servicenow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.