IAM(Identity Access Management) through OIM, OVD, ODSEE, Saviynt: 2020

Saturday, August 22, 2020

Saviynt and ServiceNow integration (as a ticketing system )

Applications or assets which can not be integrated with your IM systems (such as laptop allocations) can be managed through using ServiceNow as a ticketing system, and Saviynt being the central system for access request , can be used as a portal to raise ServiceNow tickets from.

for the USECASE 2 : the objective here is to execute ServiceNow ticket creation JSONS from SSM, for this a specific section is provided in the SSM called "CREATETICKETJSON".

A few points to remember :

1. You vcan use the same connection with multiple endpoints in such a scenaraio as long as the ticket content remains almost the same.

2. The connection for such disconnected systems must be selected as servicedesk connection to mark it as a disconnected endpoint.

3. If you want to raise all three items (REQUEST, RITM, TASK ) in serviceNow against each request in Saviynt, you'll have to execute multiple calls in your JSONS , though it's recommenced for ServiceNow team to create one API which can in turn internally create three items.

4. The trick is to pass on the reponse of the first call to the second call and so on so that the REQ, RITM, and the RITM and the TASK can be corelated, through "response.message.result.number".

5. You can use variables and conditions in your JSONs to make it dynamic enough to meet different use case and endpoint needs , as you don't get separate CREATETICKETJSONs for separate JML actions.

The below is an example of such :

{ "call": [ { "name": "call1", "connection": "userAuth", "url": "https://xxxxxxx.service-now.com/api/now/table/sc_request?sysparm_display_value=true&sysparm_fields=number", "httpMethod": "POST", "httpParams":"{\"sys_updated_by\":\"ssm_admin\", \"requested_for\":\"${user.firstname} ${user.lastname}\",\"state\":\"${if(task.tasktype==3){\"3\"} else {task.endpoint.customproperty10}}\", \"opened_by\":\"${task.endpoint.customproperty15}\",\"assignment_group\":\"${if(task.tasktype==3){task.endpoint.customproperty6}else {task.endpoint.customproperty7}}\",\"priority\":\"${task.endpoint.customproperty9}\",\"u_request_type\":\"${task.endpoint.customproperty8}\",\"short_description\":\"${if(task.tasktype==3){'New Joiner '+ user.firstname + ' ' + user.lastname} else {'Leaver ' + user.firstname + ' ' + user.lastname}}\", \"description\":\"${if(task.tasktype==3){'Ticket created as part of Saviynt user account provision for user '+ user.firstname + ' ' + user.lastname + '. No action is needed for this ticket'} else {'Please change the password on all accounts with access to '+ task.endpoint.displayName+ ' systems owned by leaver '+user.firstname + ' ' +user.lastname+' with mail '+ user.email+ ' ,UID '+ user.customproperty23+'. Remove all the default access for the user..'} }\", \"comments\":\" ${task.endpoint.customproperty13}\", \"work_notes\":\"${task.endpoint.customproperty14}\"}", "httpHeaders": { "Authorization": "${access_token}" }, "httpContentType": "application/json", "ticketidPath": "result.number", "successResponses": { "statusCode": [ 200, 201 ] } }, { "name": "call2", "connection": "userAuth", "url": "https://xxxxxxx.service-now.com/api/now/table/sc_req_item?sysparm_display_value=true&sysparm_fields=number", "httpMethod": "POST", "httpParams":"{\"sys_updated_by\":\"ssm_admin\", \"requested_for\":\"${user.firstname} ${user.lastname}\",\"state\":\"${if(task.tasktype==3){\"3\"} else {task.endpoint.customproperty10}}\", \"opened_by\":\"${task.endpoint.customproperty15}\",\"assignment_group\":\"${if(task.tasktype==3){task.endpoint.customproperty6}else {task.endpoint.customproperty7}}\",\"priority\":\"${task.endpoint.customproperty9}\",\"request\": \"${response.message.result.number}\",\"u_request_type\":\"${task.endpoint.customproperty8}\",\"short_description\":\"${if(task.tasktype==3){'New Joiner '+ user.firstname + ' ' + user.lastname} else {'Leaver ' + user.firstname + ' ' + user.lastname}}\",\"description\":\"${if(task.tasktype==3){'Ticket created as part of Saviynt user account provision for user '+ user.firstname + ' ' + user.lastname + '. No action is needed for this ticket'} else {'Please change the password on all accounts with access to '+ task.endpoint.displayName+ ' systems owned by leaver '+user.firstname + ' ' +user.lastname+' with mail '+ user.email+ ' ,UID '+ user.customproperty23+'. Remove all the default access for the user..'} }\", \"comments\":\" ${task.endpoint.customproperty13}\", \"work_notes\":\"${task.endpoint.customproperty14}\"}", "httpHeaders": { "Authorization": "${access_token}" }, "httpContentType": "application/json", "ticketidPath": "result.number", "successResponses": { "statusCode": [ 200, 201 ] } }, { "name": "call3", "connection": "userAuth", "url": "https://xxxxxxx.service-now.com/api/now/table/sc_task?sysparm_display_value=true&sysparm_fields=number", "httpMethod": "POST", "httpParams":"{\"sys_updated_by\":\"ssm_admin\", \"requested_for\":\"${user.firstname} ${user.lastname}\",\"state\":\"${if(task.tasktype==3){\"3\"} else {task.endpoint.customproperty10}}\", \"opened_by\":\"${task.endpoint.customproperty15}\",\"assignment_group\":\"${if(task.tasktype==3){task.endpoint.customproperty6}else {task.endpoint.customproperty7}}\",\"priority\":\"${task.endpoint.customproperty9}\",\"request_item\": \"${response.message.result.number}\",\"u_request_type\":\"${task.endpoint.customproperty8}\",\"short_description\":\"${if(task.tasktype==3){'New Joiner '+ user.firstname + ' ' + user.lastname} else {'Leaver ' + user.firstname + ' ' + user.lastname}}\", \"description\":\"${if(task.tasktype==3){'Ticket created as part of Saviynt user account provision for user '+ user.firstname + ' ' + user.lastname + '. No action is needed for this ticket'} else {'Please change the password on all accounts with access to '+ task.endpoint.displayName+ ' systems owned by leaver '+user.firstname + ' ' +user.lastname+' with mail '+ user.email+ ' ,UID '+ user.customproperty23+'. Remove all the default access for the user.'} }\", \"comments\":\" ${task.endpoint.customproperty13}\", \"work_notes\":\"${task.endpoint.customproperty14}\"}", "httpHeaders": { "Authorization": "${access_token}" }, "httpContentType": "application/json", "ticketidPath": "result.number", "successResponses": { "statusCode": [ 200, 201 ] } } ] }

As laways , thank you for reading !

Saviynt and ServiceNow integration

We can utilize Saviynt to manage our organization's ServiceNow deployment through mainly major two use cases :

CASE 1 : ServiceNow as a Managed Application for both reconciliation and provisioning/de-provisioning.

CASE 2 : ServiceNow as a Ticketing System to requests for different (disconnected )application accounts and resources (laptop etc).

Once request is approved in Saviynt, a corresponding ticket is created in ServiceNow and once that's closed, the access is marked as granted in Saviynt.

Case 1 : STEP 1 : Create a connection and respective SecuritySystem and Endpoint:

Connection JSON

{ "authentications": { "userAuth": { "authType": "Basic", "url": "https://XXX.service-now.com/", "httpMethod": "POST", "httpParams": {}, "httpHeaders": {}, "httpContentType": "text/html", "properties": { "userName": "xxxxxxxx", "password": "xxxxxxxx" }, "expiryError": "ExpiredAuthenticationToken", "authError": [ "InvalidAuthenticationToken", "AuthenticationFailed" ], "timeOutError": "Read timed out", "errorPath": "error.code", "maxRefreshTryCount": 5, "tokenResponsePath": "access_token", "tokenType": "Basic", "accessToken": "xxxxxxxxxxxxxxxx" } } }

Note : the access token is built by encoding username:password in base 64 encoder.

Step 2 : Create and Map your json for importing accounts (keep in mind to import only the attributes required for your deployment as it improves performance)

Import Account JSON

{ "accountParams":{ "connection":"userAuth", "processingType":"SequentialAndIterative", "statusAndThresholdConfig":{ "statusColumn":"status", "activeStatus":["Active","active","ACTIVE","1","TRUE","True","true"], "deleteLinks":"false", "accountThresholdValue":1000 }, "call":{ "call1":{ "callOrder":0, "stageNumber":0, "listField":"result", "keyField":"accountID", "disableDeletedAccounts":true, "http":{ "url":"https://xxx.service-now.com/api/now/table/sys_user?sysparm_query=active=true&sysparm_limit=16000&sysparm_display_value=true&sysparm_fields=name,active,sys_id,city,sys_class_name,location,cost_center,country,department,time_zone,source,locked_out,employee_number,name,user_name,irst_name,last_name,manager,u_middle_name,company,email,state,street", "httpMethod":"GET", "httpContentType":"application/json", "httpHeaders":{ "Authorization":"${access_token}" } }, *\\use this section to map reconciled attributes to Saviynt accoumt attributes "colsToPropsMap":{ "accountID": "sys_id~#~char", "name": "user_name~#~char", "displayname": "name~#~char", "status": "active~#~bool", "description":"sys_class_name~#~char", "customproperty1": "first_name~#~char", "customproperty2": "last_name~#~char", "customproperty3": "name~#~char", "customproperty4": "active~#~char", "customproperty5": "email~#~char", "customproperty6": "location~#~char", "customproperty7": "city~#~char", "customproperty8": "state~#~char", "customproperty9": "country~#~char", "customproperty10": "street~#~char", "customproperty11": "department~#~char", "customproperty12": "cost_center~#~char", "customproperty13": "company~#~char", "customproperty14": "time_zone~#~char", "customproperty15": "zip~#~char", "customproperty16": "source~#~char" }, "statusConfig":{ "active":"true", "inactive":"false" } } } } }

Step 3 : create your json for Creating an user's account in ServiceNow

Create Account JSON

  {
  "accountIdPath": "call1.message.result.sys_id",
   "responseColsToPropsMap": {
    "displayname": "response.message.result.name~#~char",
	"status": "response.message.result.active~#~char",
    "customproperty1": "response.message.result.email~#~char"
  },
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "https://xxxxx.service-now.com/api/now/table/sys_user",
      "httpMethod": "POST",
      "httpParams": "{\"city\": \"${user.city}\",\"location\": \"${user.city}\",\"cost_center\": \"${user.costcenter}\",\"country\": \"${user.country}\",\"department\":\"${user.departmentname}\",\"source\":\"${user.customproperty16}\",\"active\": \"true\",\"locked_out\": \"false\",\"employee_number\": \"${user.employeeid}\",\"name\":\"${user.firstname} ${user.lastname}\",\"user_name\": \"${user.username}\",\"first_name\": \"${user.firstname}\",\"last_name\": \"${user.lastname}\",\"manager\":\"${userManager.username}\",\"u_middle_name\": \"${user.middlename}\",\"mobile_phone\": \"${user.phonenumber}\",\"phone\": \"${user.phonenumber}\",\"company\": \"${user.companyname}\",\"email\": \"${user.email}\",\"state\": \"${user.state}\",\"street\": \"${user.street}\",\"title\": \"${user.title}\"}",
   "httpHeaders": {
        "Authorization": "${access_token}"
 },
      "httpContentType": "application/json",
      "unsuccessResponses":
        {
          "error.message": "Operation Failed"
        }
    }
  ]
}

Update Account JSON

{ "responseColsToPropsMap": { "name": "call1.message.user_name~#~char", "displayname": "call1.message.name~#~char" }, "call": [ { "name": "call1", "connection": "userAuth", "url": "https://wiley.service-now.com/api/now/table/sys_user/${account.accountID}", "httpMethod": "PUT", "httpParams": "{\"city\": \"${user.city}\",\"location\": \"${user.city}\",\"cost_center\": \"${user.costcenter}\",\"country\": \"${user.country}\",\"department\":\"${user.departmentname}\",\"source\":\"${user.customproperty16}\",\"active\": \"true\",\"locked_out\": \"false\",\"employee_number\": \"${user.employeeid}\",\"name\":\"${user.firstname} ${user.lastname}\",\"user_name\": \"${user.username}\",\"first_name\": \"${user.firstname}\",\"last_name\": \"${user.lastname}\",\"manager\":\"${userManager.username}\",\"u_middle_name\": \"${user.middlename}\",\"company\": \"${user.companyname}\",\"email\": \"${user.email}\",\"state\": \"${user.state}\",\"street\": \"${user.street}\",\"time_zone\": \"${user.customproperty33}\",\"title\": \"${user.title}\"}", "httpHeaders": { "Authorization": "${access_token}" }, "httpContentType": "application/json" ,"successResponses": { "statusCode": [200, 201, 204] }, "unsuccessResponses": { "statusCode": [302, 400, 403, 401, 404, 409, 501, 500] } } ] }

Enable Account JSON :

{ "call": [ { "name": "call1", "connection": "userAuth", "url": "https://wiley.service-now.com/api/now/table/sys_user/${account.accountID}", "httpMethod": "PUT", "httpParams": "{\"active\": \"true\"}", \\** update to false in case of disable accounts "httpHeaders": { "Authorization": "${access_token}" }, "httpContentType": "application/json" ,"successResponses": { "statusCode": [200, 201, 204] }, "unsuccessResponses": { "statusCode": [302, 400, 403, 401, 404, 409, 501, 500] } } ] }

step 4 : Configure security system and endpoint with appropriate approval workflow and policies

step 5 : Request an account creation through Saviynt and run the WSRETRY job upon approval , check the task details section and in serviceNow if the user has been created.

.. to be continued