Introduction

The ServiceNow connector for Glean allows Glean to fetch and index content from Knowledge Articles, Service Catalog items, ITSM incidents, APM Business Applications and SPM demands, Epics and Projects ensuring that users can search for and access documents for which they have authorized permissions.

  • Authentication: is done by creating a dedicated user account with specified permissions and profiles
  • API Usage: Glean will use the Table API and then Scripted REST API for advanced user criteria
  • Permissions Enforcement: Glean respects all user access permissions, ensuring users only see search results for documents they have access to. When a user clicks on a search result, they are taken to the ServiceNow web application, which enforces the permission
  • Data Storage: All data is stored in the customer’s project within the customer’s cloud account, ensuring no data leaves the customer’s environment

Content Captured:

For ServiceNow, Glean will capture the following content:

  • Knowledge Articles
  • Service Catalog

With additional permissions and configuration, Glean will capture the following content:

  • ITSM
  • APM
  • SPM

ServiceNow Permissions

  • Admin access to setup the connector
  • Admin access for the Service Account is preferred (Custom role can be defined)

Disclaimer: Please be advised that Glean does not recommend utilizing a ServiceNow account associated with an employee. If the employee departs from the company or if the account becomes disabled, it will adversely affect access to data sources.

Versions Supported

There are no specific version limitations of the ServiceNow connector.

Objects Supported

Knowledge articles:

  • knowledge base
  • short description
  • workflow state
  • created by
  • description
  • knowledge base category
  • view count
  • custom fields (for knowledge articles created from custom templates)

Catalog items:

  • title
  • created by
  • short description
  • description
  • catalog category
  • sc_catalogs

ITSM:

  • number
  • short description
  • description
  • comments and work notes
  • state
  • priority
  • impact
  • urgency
  • category
  • assigned to
  • opened by

Authentication Mechanism

Connector credentials requirements

The Service connector for Glean requires specific permissions to function correctly.

  • Glean requires authentication by utilizing a dedicated Service Account and OAuth Application
  • Glean understands all user access permissions and strictly enforces them at the time of the query, ensuring that users cannot see results to which they do not have access.
  • It’s important to note that all data is stored in the customer’s project in the customer’s cloud account, and no data leaves the customer’s environment.
  • Glean only requires READ-level permissions.
RoleUse Case
knowledge_adminRequired to fetch Knowledge Articles. This role allows us to view all Knowledge Articles and Knowledge Bases in the global instance.
user_criteria_adminRequired to fetch user criteria.
user_adminRequired to fetch ServiceNow users
catalog_adminRequired to fetch Catalog items
web_service_adminRequired in advanced setup so that we can access the scripted API
snc_read_onlyEffectively restricts the service account user to readonly
snc_internalRequired to allow access to internal resources
itilRequired to fetch ITSM Incidents
sn_apm.apm_userRequired to fetch APM Business Applications
it_project_userRequired for SPM Projects
it_demand_userRequired for SPM Demands
scrum_userRequired for SPM Epics
safe_scrum_userRequired for SPM Epics

Creating a Service Account in ServiceNow

Create a service account that Glean will use for fetching information from ServiceNow:

  1. Navigate to Organization > Users and click New.

    • Set User ID to gleansearch
    • Check Web service access only.
    • Set the Time zone to GMT. This is required for Glean to pick up new content updates.
    • Leave the remaining fields as-is. Click Submit.

  2. Click on the gleansearch user that was created.

    • Click Set Password and choose a strong password (save for connector setup).

Provide access to sys_audit_delete table

Access to the sys_audit_delete table will result in faster updates to document permissions when identity data changes.

  1. Create a new role: read_access_sys_audit_delete:

    1. Navigate to User AdministrationRoles.
    2. Click on New and enter the name as
    3. read_access_sys_audit_delete
    4. Click Save.

  2. Add an ACL rule that gives this role read access to the sys_audit_delete table:

    1. Elevate role to security_admin to be able to create a new ACL.
    2. Navigate to System Security → Access Control (ACL).
    3. Click on New and enter the following details.
      • Type: record
      • Operation: read
      • Name: Select the sys_audit_delete table
      • Add the new read_access_sys_audit_delete role under Requires role
    4. Click Submit.

  3. Assign the new role read_access_sys_audit_delete to gleansearch user.

Configure an OAuth Application

OAuth will provide access tokens to Glean acting as the previously configured user.

  1. Navigate to System OAuthApplication Registry and click New.
  2. Click Create an OAuth API endpoint for external clients.
  3. Set Name to Glean Search OAuth.
  4. Set Refresh Token Lifespan to 2,147,483,647.
  5. Set Access Token Lifespan to 86,400.
  6. Leave the remaining fields as defaults and Click Submit.

Validate System Properties:

  1. Navigate to the System Properties List (All → Enter sys_properties.list).
  2. Identify and note the system property glide.knowman.apply_article_read_criteria and its value.
  3. Identify and note the system property glide.knowman.block_access_with_no_user_criteria and its value.
  4. Identify if there are any Knowledge Article templates enabled and want to index template-based articles.
    • Navigate to All → System Applications → All Available Applications → All
    • Search for the plugin Knowledge Management Advanced (com.snc.knowledge_advanced) and check if it is enabled.

To learn more about knowledge article templates here.

Creating a Custom Role in ServiceNow

In cases where admin privileges are unavailable as a ServiceNow user, Glean will be able to recreate the same Glean experience with a user as a custom role. The majority of steps will be the same as listed in the ServiceNow Connector setup instructions, except for the following:

Note: The User fetching on behalf of does not need to be an admin (or have admin privileges). However, an admin (or a user with security_admin privileges) must complete some of the following steps.

  1. Create the user that will be used and name it: gleansearch

  2. Create a custom role named: CustomRole

  3. Click on the user (Organizations → Users) and then set CustomRole for the user gleansearch under Roles

  4. When creating the ACL Rule (System Security → Access Control (ACL)) for the Scripted REST API, then set CustomRole as the role for the ACL Rule.

  5. Set the ACL Rule that requires the CustomRole for both the new Scripted REST API and the /user_criteria endpoint.

  6. In step 2, instead of setting roles for the user, provide read access to the necessary tables (see below). As a security admin, create a new ACL Rule for each table, granting CustomRole the read record access. Provide the read access for all fields of the table in a separate ACL Rule. Create two ACL Rules for each of the following tables:

    1. sys_user
    2. sys_user_role
    3. sys_user_has_role
    4. sys_user_group
    5. sys_user_grmember
    6. user_criteria
    7. kb_knowledge
    8. kb_knowledge_base
    9. kb_uc_can_read_mtom
    10. kb_uc_cannot_read_mtom
    11. kb_uc_can_contribute_mtom
    12. kb_uc_cannot_contribute_mtom
    13. kb_category
    14. kb_use
    15. sc_cat_item
    16. sc_cat_item_user_criteria_mtom
    17. sc_cat_item_user_criteria_no_mtom
    18. sc_category
    19. sc_catalog
    20. topic
    21. sys_audit_delete (if provided access)
    22. incident (if enabled)
    23. cmdb_ci_business_app (if enabled)
    24. dmn_demand (if enabled)
    25. pm_project (if enabled)
    26. rm_epic (if enabled)

  7. Add the itil (Information Technology Infrastructure Library) role to the user gleansearch. This enables the user to read tables interaction (Interactions) and sc_request (Requests)

  8. Follow the subsequent steps as described in the instructions.

Example of the ACLs: ACL to read the table (e.g. sys_user)

ACL to read the properties of the table (e.g. sys_user.*)

API Endpoints

Glean uses the Table API to crawl relevant tables for ServiceNow content and permissions. For this, we have you create a dedicated ServiceNow user with access to the required tables through the Table API. We also use a Scripted Rest API that is configured as part of the setup to crawl advanced user criteria.

Format of the Table API calls are displayed below

https://<servicenowDomain>/api/now/<tableName>

Additionally, in the case of advanced user criteria, we have you create a scripted REST API endpoint to return the user criteria for a given user. The endpoint looks like:

https://<servicenowDomain>/api/now/<app_scope>/gleansearch/user_criteria

(Rest of the document continues with tables and details about content, identity, activity, rate limits, update frequency, crawl process, and troubleshooting/FAQ sections)

Looking for the original version of this page? You can find the archived version here.

Was this page helpful?