ServiceNow Quickstart

Please make sure that the ServiceNow System Requirements are met.

Create a ServiceNow technical user with sufficient table access rights

The ServiceNow agent should use a technical user in ServiceNow to access the data to be crawled. While it is possible to use an administrator account for test crawls like proofs of concept, for improved security a technical user that is used exclusively by the ServiceNow Connector should be created.

Please proceed with performing the following steps.

1. Create the role

To avoid going back and forth the user’s role is created first.

  1. Go to System Security > Users and Groups > Roles.

  2. Click New.

  3. Give the new rule a speaking name (e.g., raytion_connector_role).

  4. Ensure that the Application is set to Global, and that Elevated privilege is unchecked.

  5. Optionally enter a description.

  6. Click Submit.

  7. Edit the new role.

  8. Under Contains Roles, click on Edit and add the role snc_read_only.

2. Create the technical user and assign the role

Then the technical user is created and the role from above assigned.

  1. Go to System Security > Users and Groups > Users.

  2. Click New.

  3. Give the user a speaking User ID (e.g. raytion_connector).

  4. Set a secure password.

  5. Leave all other text fields empty, if possible.

  6. Check Web service access only, if available.

  7. Ensure that

    • Active is checked, and

    • Password needs reset, Locked Out, and Internal Integration User are not checked.

  8. Click on Submit.

  9. Edit the new user and go to the Roles tab.

  10. Click on Edit and add the role from 1. Create the role.

3. Grant read access to needed tables

The technical user needs read access for all the tables and columns/fields that should be accessible by the connector. This includes tables for extracting the actual content like kb_knowledge, tables for relations, tables for ACL constructions and also tables for extracting principal information, if needed.

Table overview

Click to open basic tables

For a content synchronization please grant access to the following tables:

  1. For content:

    • sys_db_object the technical user will look up here the full table names that are needed while crawling

  2. For attachments:

    • sys_attachment for attachment metadata

    • sys_attachment_doc for attachment file data

  3. For ACL metadata construction:

    • sys_dictionary and sys_glide_object the technical user needs to check whether security constraints are explictly set upon a single cell of a row (if so, the entire record is not crawled, as the connector does not support this feature yet. A notice is logged.)

    • sys_security_acl for conditions and scripts

    • sys_security_acl_role relations between conditions, scripts and roles

    • sys_security_operation

    • sys_security_type

    • user_criteria for user criteria

    • sys_user_role relations between users and roles

    • sys_user_group relations between users and groups

    • sys_user the technical user fetches the user id and references to core_company, cmn_department and cmn_location that can be used in user criteria

    • core_company companies for reconstructing user criteria

    • cmn_department departments for reconstructing user criteria

    • cmn_location locations for reconstructing user criteria

Please note that even a content synchronization for a public search at the moment needs access for ACL construction.

And for a principal synchronization please grant access to the following tables:

  1. For principals:

    • sys_user the user name is stored as principal. The ID is used in the following relation tables to fetch more principal information

    • sys_user_group relations between users and groups

    • sys_user_grmember used for transitive group memberships

    • sys_user_has_role relations between users and roles

    • sys_user_role_contains used for transitive role memberships

Click to open additional tables for knowledge base

For a content synchronization please grant access to the following tables:

  1. For content:

    • kb_knowledge

    • kb_knowledge_base

  2. For ACL metadata construction:

    • kb_uc_can_read_mtom Fetches user criteria for allow ACLs

    • kb_uc_cannot_read_mtom Fetches user criteria for deny ACLs (if deny ACLs are applied the related record is not crawled, as the connector does not support this feature. A notice is logged.)

Click to open additional tables for service catalog

For a content synchronization please grant access to the following tables:

  1. For content:

    • sc_cat_item

  2. For ACL metadata construction:

    • sc_cat_item_user_criteria_mtom Fetches user criteria for allow ACLs

    • sc_cat_item_user_criteria_no_mtom Fetches user criteria for deny ACLs (if deny ACLs are applied the related record is not crawled, as the connector does not support this feature. A notice is logged.)

Granting access

Access is granted by creating and assigning ACLs to the role in ServiceNow. Please note that you need ACLs both for the table itself and for the table’s columns/fields to make sure the technical user has properly access. This e.g. means for the table kb_knowledge you need two ACLs, one with -- None -- and one with * in the second dropdown box (step 8).

Please go to System Security > Access Control (ACL), and for each table:

  1. Click New.

  2. Ensure that

    • Type is set to record,

    • Application is set to Global,

    • Active is checked,

    • Admin overrides and Advanced are not checked,

    • Protection policy is -- None --, and

    • the Condition is empty.

  3. Set Operation to read.

  4. Under Name, choose the name of the table in the first dropdown box and -- None -- in the second.

  5. Under Requires role, add the role from 1. Create the role.

  6. Click Submit.

  7. Click New again.

  8. Follow the steps above again, but choose the name of the table in the first dropdown box and * in the second dropdown box under Name.

  9. Click Submit.