Policy Change Request - ServiceNow Integration

Note that this feature does not currently support SSO for Service Now clients. If using SSO, a full Service Now user account must be made available for users to be able to submit the Policy Change Request to Service Now.

ServiceNow Integration

ServiceNow and Application Control integration enables optimized and fully audited request handling. This functionality has been available from the 2022.1 release and later.

Prior to working in Application Control, a new ServiceNow instance needs to be created.

The configuration tasks - and the functionality available to end users as a result - are summarized in the following table:

Application Control - Administrator Tasks ServiceNow - Administrator Tasks Application Control - Endpoint User Functionality

Configure access to the ServiceNow server and the options available to end users when they raise a change request.

Refer to:

 

Manually configure the request offering and request form in ServiceNow. Ensure the workflow performs as expected.

Refer to:

 

Create and submit Policy Change Requests, monitor the status of requests as required.

Refer to:

 

Request Status

The status of all service requests is changed according to its processing within the ServiceNow workflow. The number of different stages used in the process - and name used to describe each status - is configured within the ServiceNow system.

Typically, when a service request is first raised, it is in the Submitted state, and only when it has been reviewed and analyzed against a set of criteria will it be Approved or Denied.

Only service requests in the Approved state are fulfilled by Application Control.

Policy Change Request Options - ServiceNow Integration

Policy Change Request options allow you to enable or disable end user access to the Policy Change request feature, and determine the request template available to them. The options determine how requests are communicated to the Ivanti Neurons for ITSM system and also what selection choices end users have when creating change requests.

Authentication accounts must be configured in ServiceNow before the Application Control integration.

  1. From the Menu ribbon select Global Settings > Policy Change Request Options, then select the ServiceNow Integration tab:

  2. Specify details needed for ServiceNow (instructions on where to find these details are below):

    • URL – which server you want to point at

    • Client ID – credentials

    • Client Secret – password

  3. Next, Login to ServiceNow as an authenticated user. The authentication in ServiceNow must be configured prior to this step so that the correct permissions are assigned when logging in through Application Control.

  4. Now, Browse for Catalog Items (lower left), and find the Application Control Catalog Item, select it and click OK.



In Step 2, above, the details needed are found in ServiceNow. The Client ID and Client Secret are created when the oAuth client is created from the System OAuth\Application Registry page.

The end user needs to login before they can connect to ServiceNow. When the user has successfully logged in, Application Control stores the username and refresh token encrypted in %programdata%. The end users's password is not stored. This means on each subsequent login, the refresh token can be used so the end user does not need to login each time.

This refresh token has a default lifespan of 100 days. That can be changed when the Application Control OAuth token is created.

Each end users' refresh token is visible in the System OAuth > Manage Tokens menu item. The admin can choose to revoke the token at any time, although the tokens do not have a username associated with them:

As there are many identity providers, there are various terms used for the same thing. Please use this guide with the understanding that the titles may be slightly different depending on provider utilized.

An account will need to be established with the identity provider. Look for an Applications section in the chosen identity provider. You are looking for the section that allows you to register Application Control and look for the option for https links.

To establish the links, you may need the following information:

  • Client ID

  • Client Secret, which can be a static code or one that dynamically generates (PKC) each time (depends on app)

  • A callback url that has to match exactly

In addition, there may be other urls requested by the SSO application that have to match exactly for OAuth and/or SAML, usually found under Advanced settings such as the following:

  • software authorization

  • device authorization

  • token (V2)

  • user info

  • configuration

  • JSON web key set

 

 

On returning to the ServiceNow tab, the Application Control Catalog Item has been added to the list and can be assigned to one or more devices:

Configure ServiceNow to be compatible with Application Control

The steps for configuring ServiceNow are listed in Creating a new Catalog Item in ServiceNow.

Once these steps are accomplished, the ServiceNow catalog will show an item for Application Control.

  1. Select the Application Control Catalog Item and Edit.

  2. Under Process Engine, select Parameters and edit as needed.


  3. Create the Application Control workflow per the ServiceNow documentation.

  4. Set up anything else that you need, then Save.

ServiceNow is configured for endpoint user requests, see Next Steps for instructions on the requests themselves.

Endpoint User Access

Standard users will need read access to the following tables in order to query the relevant Application Control information.

  • Item_option_new: This is required to query existing Application Control catalog requests. If the user does not have access, they will see a Server Error: Forbidden message when the user logs on

  • Sc_item_option and sc_item_option_mtom: This is required to query the parameters to existing Application Control requests. If the user does not have access to this table, they will not be able to view any existing requests.

  • Question_choice: This is required to show the user the options that are displayed when creating a new Policy Change Request. If the user does not have access they will see a Server Error: Forbidden message when the Create New Request dialog should appear.

An alternative solution is to create a new Role that will give users read access to only the relevant tables. To create a new role:

  1. Type role in the search menu and click ‘Roles’.

  2. Click New and type Application Control User.

  3. Save

To amend ACLs, the Elevate Role is required. Click the user icon in the top right and then ‘Elevate Role’ from the menu

  1. Type ACL in the search menu and click Access Control (ACL)

  2. Search for Item_option_new, with read operation and click the table

  3. Double Click Insert Role and add the new Role

Do the same for the other tables mentioned

The new role can either be added to users directly, or added as a sub role to an existing role (e.g user) so all users will automatically inherit the new role.

Endpoint User Approval Requests

When a request is made by an endpoint user, an instance can be set up for them and then found in the ServiceNow Open Records > Items list:

For each item, the variables have been pre-populated. The relevant authorizer will log in and approve or deny as required:

Next Steps

To finish setting up the configuration, set the Policy Change Request options for the endpoint.