DocumentationAPI ReferenceRelease Notes
Documentation

ServiceNow | EPM-WM

How is the ServiceNow integration useful?

In the default configuration, when a user runs an application you are targeting with the ServiceNow rule script, they are presented with the option to raise an incident in ServiceNow or cancel the request. The ticket in ServiceNow includes:

  • Caller
  • Short Description
  • Description including the business justification, the program name, program publisher, program path, Challenge Response Code, and the business justification the end user provided.

You can then action the incident in ServiceNow and supply the end user with a Challenge Response Code. The end user can then start the application and enter the Challenge Response Code to run the application.

The Endpoint Privilege Management for Windows ServiceNow integration can be used with Endpoint Privilege Management for Windows version 5.3 and later. You can download the integration from the BeyondTrust Support Portal.

Important information

The ServiceNow integration is comprised of two files:

  • Log-ServiceNowIncident.ps1
  • ServiceNowSettings.json

Prerequisites

ServiceNow

You must have the following information available:

  • The URL of your ServiceNow instance (for example, instance-name.service-now.com).
  • A Challenge / Response message.
  • Corresponding accounts for all end users in ServiceNow (so that Endpoint Privilege Management for Windows and Mac can successfully raise the incident).

Authentication methods

The ServiceNow integration supports Basic Auth and OAuth 2.0 Client Credentials Grant.

Select an authentication method:

Option A: Basic Auth

  • A ServiceNow username and password for a user that has the ServiceNow itil role.

Option B: OAuth (Client Credentials Grant)

  • A ServiceNow user that has the ServiceNow itil role.
  • A ServiceNow OAuth Client ID and Client secret for an inbound OAuth integration, associated with the above user.
OAuth prerequisites (ServiceNow)

Inbound connections to ServiceNow via OAuth may be disabled by default.

Ensure client credentials grant is enabled:

  1. Navigate to sys_properties.list through the “All” menu.
  2. Search for glide.oauth.inbound.client.credential.grant_type.enabled.
  3. If the property exists, ensure the value is set to true.
  4. If the property does not exist, create it with:
    • Name: glide.oauth.inbound.client.credential.grant_type.enabled
    • Type: true | false
    • Value: true

Then create an inbound OAuth integration:

  1. Navigate to System OAuth > Application Registry.
  2. Create a new integration for OAuth - Client credentials grant.
  3. Set the OAuth application user to the user account created for this integration that has only the itil role.
  4. Set the Auth scope to useraccount.
    ℹ️

    ServiceNow may display a warning that the useraccount scope is not recommended for most integrations. As we're using a dedicated user with only the itil role this scope is appropriate and the OAuth application will inherit only the itil permissions from the associated user.

  5. Copy the Client ID and Client secret for use in Endpoint Privilege Management.

EPM for Windows policy

In your Endpoint Privilege Management for Windows policy, you must have:

  • a Workstyle that targets the ServiceNow rule script
  • an Application Group that contains the applications you want to target
  • a message configured for Challenge / Response

See the next sections, "In the Policy Editor" and "In the Application Rule" for instructions.

In the Policy Editor

  1. Open the Policy Editor in EPM for Windows and Mac.
  2. Create a Message and configure it for Challenge / Response. Call this message Allow Message (with Challenge). If you do not have an existing Shared Key, ensure you configure one before you continue.
  3. Create an Application Group called ServiceNow Applications and populate it with application definitions you want your end users to raise a ServiceNow ticket for.
  4. Create a Workstyle called ServiceNow and add an Application Rule.

In the Application Rule

  1. Set the Target Application Group to ServiceNow Applications.
  2. From the Run a Rule Script list, select Manage Scripts.
  3. From the Rule Scripts node, click Import Script.
  4. Navigate to the ServiceNow integration script Log-ServiceNowIncident.ps1 you downloaded previously and click Open.
  5. Click Settings, and then Import Settings. Navigate to the ServiceNowSettings.json file you downloaded previously.
  6. At the top of the ServiceNowSettings.json file, navigate to the Authentication section and change the following:
    • Replace the URL with your ServiceNow instance in the form instance-name.service-now.com, ensuring you remove the asterisks.
      Do not include https:// in the URL. The secure connection is managed by the client.
    • Configure one of the following authentication methods:
      Basic Auth
      • Replace Username and Password with your ServiceNow user credentials (for a user with the itil role), ensuring you remove the asterisks.
      • Remove the ClientId and ClientSecret fields.
        OAuth (Client Credentials Grant)
      • Replace ClientId and ClientSecret with the values from your ServiceNow OAuth application, ensuring you remove the asterisks.
      • Remove the Username and Password fields.
  7. Click Save and then Close on the Script Manager. The ServiceNowSettings.json file is now associated with your ServiceNow rule script Log-ServiceNowIncident.ps1. Any time you use the ServiceNow rule script, the same Settings file is automatically assigned to it. Any edits to the Settings file need to be made in one place, and they will be used in all instances of that rule script.
  8. Set the Default Action to Allow Execution.
  9. Set the Default End User Message to Allow Message (with Challenge).
  10. Set the Default Access Token to Add Admin Rights.
  11. Set Raise an Event to On, and click OK to finish configuring the Application Rule.
  12. Verify the Workstyle is enabled, so you can test the ServiceNow integration.

In ServiceNow

You can confirm the ServiceNow integration is working by running an application that will match on the ServiceNow Applications Application Group. When the ServiceNow script runs successfully, a dialog box like the one below is displayed. A Settings error message may be displayed.

The first time the end user sees this message they will enter their business justification, and click Submit Report.

Once they receive the Challenge Response Code, they can run the application. Then they can click Enter Response Code to enter the Challenge Response Code and run the application.

ServiceNow integration error codes

Error codeSymptom
SVN-STG-001Authentication values are not configured in the ServiceNowSettings.json file. Configure either Username + Password (Basic Auth) or ClientId + ClientSecret (OAuth).
SVN-VSN-001 SVN-VSN-002Either the Endpoint Privilege Management for Windows or the Endpoint Privilege Management Policy Editor versions are not high enough to support Power Rules.
SVN-URL-001The instance of ServiceNow in the ServiceNowSettings.json file cannot be reached.
SVN-USR-001The end user trying to create the incident in ServiceNow does not have an account in ServiceNow.
SVN-INC-001The incident was not created successfully.

Updated about 2 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.