ServiceNow | Entitle

Manage and automate access to your organization's ServiceNow instance with Entitle. With this integration, you can request access to ServiceNow resources, including global roles, applications, and groups. If you grant Entitle the admin role, Entitle also displays ACL-controlled resources in the permission graph.

Prerequisites

  • ServiceNow administrator access
  • Entitle administrator access

Configuration in ServiceNow

Create a user in ServiceNow

  1. In ServiceNow, go to All > Users and Groups > Users.
  2. Click New.
  3. Enter the following details:
FieldValue
User IDentitle.access.management (recommended)
First nameEnter a preferred value. This appears in the ServiceNow user list and audit logs.
Last nameEnter a preferred value. This appears in the ServiceNow user list and audit logs.
Identity typeMachine
ActiveSelected
Internal integration userSelected
  1. Click Submit.

Assign roles to the user

You can either assign the built-in admin role or create a custom role with minimum required permissions. The admin role is simpler to set up and allows Entitle to display ACL-based permissions in the permission graph. The custom role follows least-privilege principles, granting only the permissions the integration needs to function.

Option A – Full permissions (admin role)

  1. Search for the user you created and select it.
  2. Under Roles, click Edit.
  3. Add the admin role, then click Save.

Option B – Least privilege (custom role)

  1. Download the entitle_access_management.xml.
  2. Open a new tab and go to All > Retrieved Update Sets.
  3. Select Import Update Set from XML, upload the Entitle-supplied XML file, then click Save.
  4. Select the file you just uploaded called entitle_access_management, then click Preview Update Set, then Commit Update Set.
  5. Click Update.
  6. Go to Roles and confirm the file is committed.
  7. Select the role, then click Contains Roles > Edit. Add snc_platform_rest_api_access , then click Update.
  8. Return to the previous tab with the user you created and select it.
  9. Under Roles, click Edit.
  10. Choose entitle_access_management, then click Update.

Set authentication

Choose one of the following authentication methods:

Option A – Password (basic)

  1. On the user record, click Set Password > Generate.
  2. Save the password.

Option B – OAuth client credentials (recommended)

  1. Type sys_properties.do in the search bar.
  2. Create a new system property record and enter the following details:
FieldValue
Nameglide.oauth.inbound.client.credential.grant_type.enabled
Typetrue|false
Valuetrue
Ignore cacheSelected
  1. Click Submit.
  2. Go to Inbound Integrations > New Integration > OAuth – Client Credentials Grant.
  3. Enter the following details:
FieldValue
Nameentitle-access-management
OAuth application userentitle.access.management
Auth scopeuseraccount
  1. Copy the Client ID and Client Secret.
  2. Click Save.

Configure the integration in Entitle

  1. In Entitle, navigate to Integrations and click Add Integration.

  2. Choose ServiceNow under Application.

  3. Enter the integration details:

    FieldDescription
    NameEnter a display name for the integration.
    OwnerSelect the Entitle user who is responsible for managing this integration.
    Default Approval WorkflowSelect the approval workflow that applies to access requests for this integration, if no other workflows apply.

  4. Select integration behavior options:

    OptionBehavior
    ReadonlySelect to disable any automated permission granting - will show resources and permissions in the application but any permission changes will be done manually.
    Allow changing account permissionsSelect to allow Entitle to grant and revoke permissions. When deselected, Entitle can track but not modify permissions.
    Allow creating accountsAllows new accounts to be created when granting access, so a user can choose to not provide an account when requesting access.
    Allow users to edit accountsUsers will be able to edit their account for this integration.
    RequestableSelect to allow end-users to request access for resources in this integration. When deselected, this integration is not available under New request.
    Requestable by defaultWhen selected, new resources will allow requests by default. Otherwise, requests for new resources will not be allowed, by default.
    Auto assign recommended resource ownersIf recommendations are available during sync, override existing resource owners with the recommended users
    Auto assign recommended resource maintainersIf recommendations are available during sync, override existing resource maintainers with the recommended users
    Notify about external permission changesIf accounts receive roles outside of the request access flow, notifications will be sent to admins and integration owner.
    Override allowed durationsChanges the allowed duration options for this integration. Bundles containing this integration will not be affected.

  5. Select the location to save the integration connection settings under Save on.

  6. Under Connection, populate the JSON configuration.

  7. Click Check configuration to test the integration.

  8. Click Save.

Integration troubleshooting

ℹ️

Integration sync time varies based on the number of resources, roles, and entitlements in the third-party system.

  1. In Entitle, navigate to Integrations.
  2. Confirm the date/time of the Last sync on the integration card. This indicates the last time Entitle pulled all resources, roles, and entitlements from the third-party system.
  3. Select the integration and check the Last sync indicator next to Resources. This indicates the last time Entitle pulled the resources from the third-party system.
  4. Expand Audit logs to review integration activity and errors.

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.