ServiceNow
Configuring the Veza Integration for ServiceNow
Overview
The Veza integration for ServiceNow now enables the discovery of Users, Groups, Access Control List (ACL) Rules, and Roles from ServiceNow SaaS deployments, for release Tokyo
and newer. You can create queries that target these ServiceNow entities and attributes to:
Audit users with admin permissions in ServiceNow Instance.
Explore User>Group and User>ACL Rule relationships
Create Rules, Queries, and Reports to understand and regulate ServiceNow user roles.
See ServiceNow Entities and Attributes for more information.
To establish an outbound connection for creating tickets, see ServiceNow Notifications .
ServiceNow setup
Before adding the integration to Veza, you will need to log in to ServiceNow to create a user for Veza. To create this API-only user (service account):
Browse to
https://<your_instance>.service-now.com
and log in with an account that has theuser_admin
role.Click on the "System Security" module in the left navigation menu.
Pick "Users" from the dropdown menu.
Click on the New button to create a user.
Enter required details for the Veza user, including the name, username, and password.
Enable Web service access only to only allow API calls and prevent UI access.
In the Roles section, assign the
admin
andsnc_read_only
roles. Thesync_read_only
role enforces read-only access.Click Save to create the user.
Make note of the user ID
and password
to use when configuring the Veza Integration.
For more information, see Create A User (ServiceNow).
As an alternative to granting the admin
and snc_read_only
roles, you can create a custom role for the integration. You will need to edit each table's ACL to grant the role read-only access, and apply the role to the ServiceNow integration user.
Required tables:
sys_user
sys_user_group
sys_user_grmember
sys_user_role
sys_user_role_contains
sys_user_has_role
sys_group_has_role
sys_security_acl
sys_security_operation
sys_security_acl_role
sys_db_object
sys_package
Veza setup
Open Veza Configuration > Integrations
Click Add New and pick ServiceNow for the integration to add
Fill out the required information:
Field | Notes |
---|---|
InstanceURL | ServiceNow instance URL, for example |
Username | Veza integration service account username |
Password | Veza integration service account password |
ServiceNow entities and attributes
The following properties are available to filter results and create fine-grained searches, queries, and workflows:
User
ServiceNow users are individual accounts that can access the platform. Each has a unique name, and can be assigned to one or more groups.
Veza Attribute | ServiceNow property |
---|---|
CreatedAt | CreatedOn |
LastLoginAt | LastLogin |
MFAActive | MFAEnabled == "true" |
IsActive | IsActive == "true" |
IsLocked | IsLockedOut == "true" |
PasswordNeedsReset | PasswordNeedsReset == "true" |
WebServiceAccessOnly | WebServiceAccessOnly == "true" |
InternalIntegrationUser | InternalIntegrationUser == "true" |
Group
Groups are collections of users based on role or function, used to grant permissions to several users at a time.
Veza Attribute | ServiceNow property |
---|---|
CreatedAt | CreatedOn |
UpdatedAt | UpdatedOn |
IsActive | IsActive == "true" |
Parent |
|
Manager |
|
Description | Description |
Role
A role is a collection of permissions, allowing a user or group to take a variety of actions. For example, a role might grant the ability to create, read, update, or delete certain types of records.
Veza Attribute | ServiceNow property |
---|---|
CreatedAt | CreatedOn |
UpdatedAt | UpdatedOn |
Grantable | Grantable == "true" |
ElevatedPrivilege | ElevatedPrivilege == "true" |
CanDelegate | CanDelegate == "true" |
Scope |
|
Description | Description |
ACL Rule
ACL rules control access to ServiceNow resources by defining conditions that must be met before a user can perform an action. For example, an ACL rule might restrict a user's ability to view a particular field in a record.
Veza Attribute | ServiceNow property |
---|---|
CreatedAt | CreatedOn |
UpdatedAt | UpdatedOn |
IsActive | IsActive == "true" |
Description | Description |
Advanced | Advanced == "true" |
AdminOverrides | Advanced == "true" |
CreatedBy | CreatedBy |
Type |
|
Package * |
|
Scope |
|
Operation |
|
* To show ACL Rule package names instead of package ids, you must enable Allow access to this table via web services on the ServiceNow table sys_table
. See Application Access Web Services for more details on this optional step.
Last updated