ServiceNow: Advanced setup

​

Prerequisites and scope

• Required role: The user setting up the data source must be a ServiceNow Admin.
• Custom configurations: Glean supports additional configurations for custom ServiceNow URLs and custom Knowledge Article templates. If applicable, contact Glean Support to set these up after completing the steps below.

​

Indexed content and permissions

• Permissioning: Glean supports simple permissioning for the ITSM, APM, and SPM object types listed above. Users with specific roles are granted access to all documents. If you require a customized role, reach out to Glean Support.

​

Setup requirements

• POC mode: To start the crawl in POC mode, contact Glean Support.
• API configuration: This setup requires you to implement a scripted REST API in ServiceNow.
• Service account: The ServiceNow administrator must create a dedicated ServiceNow user with access limited only to the doctypes listed above.
• Administrator action: All steps in this advanced setup process must be performed by a ServiceNow administrator. If you have any questions during setup, contact Glean Support.

​

Setup instructions

1. In Glean Admin Console go to Data sources.
2. Click Add data source and select ServiceNow.
3. Enter a name for your connector.
4. Select Advanced in the Select if you want to support advanced user criteria (also select advanced if you want to start crawl in POC mode) step.

​

1. Create an ACL to be used for the REST API

• Elevate role to get security_admin role (This is found on the “System Administrator” Header Banner). Note that by default this is only set for the user account whose name is admin.
• Navigate to Access Control (ACL), and create a new ACL with the following properties:
  • Set type=Rest_endpoint
  • Set protection policy=Read only (if possible)
  • Set Name=GleanSearch
  • Set Role=knowledge_admin, catalog_admin, itil (only if you want to index ITSM incidents as well)
  • Set operation=execute

​

2. Configure the body of the REST API

• Navigate to scripted REST APIs
• Create a new API called GleanSearch and API ID gleansearch
• Set Protection=Read only
• Remove existing default acl and add GleanSearch acl as default acl
• Create a new REST endpoint
  • Name=GetUserCriteria
  • HTTP method=GET
  • Relative path = /user_criteria
  • Protection policy=Read only
  • Ensure Requires Authentication and Requires Authorization are checked
  • Remove the default Scripted REST external default and set GleanSearch
  • Verify that the resource path is /api/<API_NAMESPACE>/gleansearch/user_criteria (API namespace value needs to be entered in the corresponding box )
• Add the following as the script:

(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
    var queryParams = request.queryParams;
    var userID = new String(queryParams.user);
    return new sn_uc.UserCriteriaLoader.getAllUserCriteria(userID);
})(request, response);

​

3. Create a service account

• Navigate to Organization > Users and click New.
  • Set User ID to gleansearch.
• Check Web service access only. This restricts the account to interacting with ServiceNow exclusively through APIs.
• Ensure Web service access only is unchecked. This enables the user to log in via the ServiceNow portal to authorize the OAuth application.
• Set Time zone to GMT. This is required for new content updates to be picked up by Glean.
• Leave the remaining fields as-is. Click Submit.Click on the gleansearch user that was created.
• Click Set Password and choose a strong password.
• Click Roles > Edit… and add the following roles:
  • knowledge_admin
  • user_criteria_admin
  • user_admin
  • catalog_admin
  • snc_read_only
• Only add the following role if it exists in your instance:
  • snc_internal
• Add the following role if you want to index ITSM incidents as well
  • itil
• Add the following role if you want to index APM Business Applications
  • sn_apm.apm_user
• Add the following role if you want to index SPM documents (demands, projects and epics)
  • it_demand_user
  • it_project_user
  • scrum_user
  • safe_scrum_user
• Add the following role if you have HR content in a non-global scope (e.g., “Human Resources: Core” application scope)
  • sn_hr_core.admin

• sys_user
• sys_user_has_role
• sys_user_group
• sys_user_grmember
• user_criteria
• kb_knowledge
• kb_knowledge_base
• kb_uc_can_read_mtom
• kb_uc_cannot_read_mtom
• kb_uc_can_contribute_mtom
• kb_uc_cannot_contribute_mtom
• kb_category
• kb_use
• sc_cat_item
• sc_cat_item_user_criteria_mtom
• sc_cat_item_user_criteria_no_mtom
• sc_category
• sc_catalog
• sys_audit_delete (if provided access)
• incident (if enabled)
• cmdb_ci_business_app (if enabled)
• dmn_demand (if enabled)
• pm_project (if enabled)
• rm_epic (if enabled)

​

4. Provide access to sys_audit_delete table

• Create a new role: read_access_sys_audit_delete:
  • Navigate to User Administration > Roles.
  • Click on New and enter the name as read_access_sys_audit_delete
  • Save.
• Add an ACL rule that gives this role read access to the sys_audit_delete table:
  • Elevate role to security_admin to be able to create a new ACL.
  • Navigate to System Security > Access Control (ACL).
  • Click on New and enter the following details.
    • Type: record
    • Operation: read
    • Name: Select the sys_audit_delete table
    • Add the new read_access_sys_audit_delete role under Requires role
    • Submit.
• Assign the new role read_access_sys_audit_delete to gleansearch user.

​

5. Configure ACLs for News Articles (Content Publishing)

​

1. Create a Table ACL for the News Article table

• Elevate your role to security_admin to be able to create a new ACL.
• Navigate to System Security > Access Control (ACL).
• Click on New and enter the following details:
  • Type: record
  • Operation: read
  • Name: Select the sn_cd_news_article table
  • Under Requires role, add either:
    • The existing sn_cd.content_manager or sn_cd.content_admin role that was assigned to the gleansearch user, OR
    • A new custom role created in the Content Publishing application (if you prefer to use a custom role instead of the built-in ones)
  • Click Submit.

​

2. Create a Record ACL for News Article records

• Elevate your role to security_admin to be able to create a new ACL.
• Navigate to System Security > Access Control (ACL).
• Click on New and enter the following details:
  • Type: record
  • Operation: read
  • Name: Select sn_cd_news_article.* (all fields)
  • Under Requires role, add the same role used in the table ACL above
  • Click Submit.

​

6. Configure an OAuth application

• Navigate to System OAuth > Application Registry and click New.
• Click Create an OAuth API endpoint for external clients.
• Set Name to Glean Search OAuth.
• Set Refresh Token Lifespan to 2,147,483,647.
• Set Access Token Lifespan to 86,400.
• Leave the remaining fields as-is. Click Submit.

​

7. Validate system properties

• Navigate to the System Properties List (All > Enter sys_properties.list).
• Identify and note the system property glide.knowman.apply_article_read_criteria and its value.
• Identify and note the system property glide.knowman.block_access_with_no_user_criteria and its value.
• Identify if you have Knowledge Article templates enabled and want to index template-based articles.
  • Navigate to All > System Applications > All Available Applications > All
  • Look for the plugin Knowledge Management Advanced (com.snc.knowledge_advanced) and check if it is enabled.
  • You can learn more about knowledge article templates here.

​

Enter details in Glean Admin Console

• Domain Name: Accepts domain or domain url. Note, the domain url should not include any http prefixes, and should follow the format of <domain>.service-now.com. It is preferred to enter the domain url
• User ID: gleansearch
• Password: The password you chose in step 3.
• Note: We STILL need a username/password to fetch refresh token which is then used to fetch access tokens.
• OAuth Client ID: Client ID from the application in step 5.
• API Namespace: Copy over the API namespace for the scripted REST API you created in step 2
• OAuth Client Secret: Client Secret from the application in step 4.
• Set the Apply article read criteria box to mirror the system property glide.knowman.apply_article_read_criteria.
• Set the Block access with no user criteria box to mirror the system property glide.knowman.block_access_with_no_user_criteria.
• If you have Knowledge Article templates enabled in your instance, check the Enable fetching template-based knowledge articles box.
• Tick the checkbox for the document types you want Glean to index