ServiceNow | Entitle
Manage and automate access to your organization's ServiceNow instance with Entitle. With this integration, you can request access to ServiceNow resources, including global roles, applications, and groups. If you grant Entitle the admin role, Entitle also displays ACL-controlled resources in the permission graph.
Prerequisites
- ServiceNow administrator access
- Entitle administrator access
Configuration in ServiceNow
Create a user in ServiceNow
- In ServiceNow, go to All > Users and Groups > Users.
- Click New.
- Enter the following details:
| Field | Value |
|---|---|
| User ID | entitle.access.management (recommended) |
| First name | Enter a preferred value. This appears in the ServiceNow user list and audit logs. |
| Last name | Enter a preferred value. This appears in the ServiceNow user list and audit logs. |
| Identity type | Machine |
| Active | Selected |
| Internal integration user | Selected |
- Click Submit.
Assign roles to the user
You can either assign the built-in admin role or create a custom role with minimum required permissions. The admin role is simpler to set up and allows Entitle to display ACL-based permissions in the permission graph. The custom role follows least-privilege principles, granting only the permissions the integration needs to function.
Option A – Full permissions (admin role)
- Search for the user you created and select it.
- Under Roles, click Edit.
- Add the admin role, then click Save.
Option B – Least privilege (custom role)
- Download the entitle_access_management.xml.
- Open a new tab and go to All > Retrieved Update Sets.
- Select Import Update Set from XML, upload the Entitle-supplied XML file, then click Save.
- Select the file you just uploaded called entitle_access_management, then click Preview Update Set, then Commit Update Set.
- Click Update.
- Go to Roles and confirm the file is committed.
- Select the role, then click Contains Roles > Edit. Add
snc_platform_rest_api_access, then click Update. - Return to the previous tab with the user you created and select it.
- Under Roles, click Edit.
- Choose
entitle_access_management, then click Update.
Set authentication
Choose one of the following authentication methods:
Option A – Password (basic)
- On the user record, click Set Password > Generate.
- Save the password.
Option B – OAuth client credentials (recommended)
- Type
sys_properties.doin the search bar. - Create a new system property record and enter the following details:
| Field | Value |
|---|---|
| Name | glide.oauth.inbound.client.credential.grant_type.enabled |
| Type | true|false |
| Value | true |
| Ignore cache | Selected |
- Click Submit.
- Go to Inbound Integrations > New Integration > OAuth – Client Credentials Grant.
- Enter the following details:
| Field | Value |
|---|---|
| Name | entitle-access-management |
| OAuth application user | entitle.access.management |
| Auth scope | useraccount |
- Copy the Client ID and Client Secret.
- Click Save.
Configure the integration in Entitle
-
In Entitle, navigate to Integrations and click Add Integration.
-
Choose ServiceNow under Application.
-
Enter the integration details:
Field Description Name Enter a display name for the integration. Owner Select the Entitle user who is responsible for managing this integration. Default Approval Workflow Select the approval workflow that applies to access requests for this integration, if no other workflows apply.
-
Select integration behavior options:
Option Behavior Readonly Select to disable any automated permission granting - will show resources and permissions in the application but any permission changes will be done manually. Allow changing account permissions Select to allow Entitle to grant and revoke permissions. When deselected, Entitle can track but not modify permissions. Allow creating accounts Allows new accounts to be created when granting access, so a user can choose to not provide an account when requesting access. Allow users to edit accounts Users will be able to edit their account for this integration. Requestable Select to allow end-users to request access for resources in this integration. When deselected, this integration is not available under New request. Requestable by default When selected, new resources will allow requests by default. Otherwise, requests for new resources will not be allowed, by default. Auto assign recommended resource owners If recommendations are available during sync, override existing resource owners with the recommended users Auto assign recommended resource maintainers If recommendations are available during sync, override existing resource maintainers with the recommended users Notify about external permission changes If accounts receive roles outside of the request access flow, notifications will be sent to admins and integration owner. Override allowed durations Changes the allowed duration options for this integration. Bundles containing this integration will not be affected.
-
Select the location to save the integration connection settings under Save on.
-
Under Connection, populate the JSON configuration.
-
Click Check configuration to test the integration.
-
Click Save.
Integration troubleshooting
Integration sync time varies based on the number of resources, roles, and entitlements in the third-party system.
- In Entitle, navigate to Integrations.
- Confirm the date/time of the Last sync on the integration card. This indicates the last time Entitle pulled all resources, roles, and entitlements from the third-party system.
- Select the integration and check the Last sync indicator next to Resources. This indicates the last time Entitle pulled the resources from the third-party system.
- Expand Audit logs to review integration activity and errors.