Prerequisites

  • The SailPoint Identity Governance connector for ServiceNow connector is certified and published on the ServiceNow Application store. You can directly install the app from the store and begin using it.

  • You must install the update set from the ServiceNow Application store. Go to the ServiceNow Application Store > Search for SailPoint Identity Governance Connector.

  • You must assign the x_sapo_iiq_connect.admin role to the Service Account of SailPoint Identity Governance connector for ServiceNow.

  • ServiceNow security limits access to higher privileged roles unless the user possesses that specific role. This restriction applies to roles such as "admin," "sn_hr_core.admin," or any role with the "Assignable by" field populated.

  • To ensure that the connector user can access these roles correctly, it is recommended to assign all such roles manually to the connector user based on their usage.

    Note

    • The Service Account is the account that is used during source configuration to connect to the managed system.
    • The provisioning and de-provisioning of the security_admin role is not supported by the ServiceNow Governance connector due to its heightened security implications.
  • x_sapo_iiq_connect.admin is required for both Basic and OAuth2. The Service Account user should create an OAuth Client for the Refresh Token Grant Type.

  • For the OAuth2 Client Credentials Grant Type:

    • ServiceNow validates the access token received from the OpenID Connect (OIDC) provider and matches the User Claim (e.g., email) and User Field (email) for successful authentication. Users found with the User Field value should have the x_sapo_iiq_connect.admin role.

  • On the API table or Import Set API table, if REST API ACL is enabled, make sure to add the snc_platform_rest_api_access role to the x_sapo_iiq_connect.admin role.

  • Configure at least one virtual appliance cluster and successfully test the connection. For instructions, refer to the Virtual Appliance Reference Guide.

To support the unlock operation in ServiceNow:

Create the following Access Control List (ACL) in global scope and assign it to the x_sapo_iiq_connect.admin role:

ACL

Type

Operation

Name

Attribute

sys_user.locked_out

record

read

User [sys_user]

Locked out

Note
For more information on creating an ACL, refer to ServiceNow: Create an ACL rule.

Note
For more information on configuring any custom field refer to Custom Attribute for SailPoint Identity Governance Connector for ServiceNow.