Service Desk Application for ServiceNow
The IBM Security Verify Service Desk Application allows you to securely connect three endpoints:
- IBM Security Verify Governance
- IBM Security Verify SaaS
- IBM Security Identity Manager
In case of IBM Security Verify Governance, Service Desk application supports the following functionalities:
- Request access to applications (for self and others)
- Built in approvals and separation of duties checks.
- Automated and manual provisioning of accesses.
- Request password change
- Approve access requests
- Review status of access requests
- Request to add, remove, modify, suspend, restore accounts
- Perform access and role attestation
In case of IBM Security Verify SaaS, Service Desk application supports the following functionalities:
- Request access to applications (for self and others)
- Request password change: Can change password only for the cloud directory and not the target accounts
- Approve access requests
- Review status of access requests
- Entitlement Load
- My Certifications
In case of IBM Security Identity Manager (ISIM), Service Desk application supports the following functionalities:
- Request access to applications (for self and others)
- Request password change
Before you begin
You must fulfil the following system requirements before proceeding:
- A working environment for required endpoint (IGI or ISV or ISIM)
- A working environment with ServiceNow latest supported version
Note: Refer documentation from ServiceNow app store for required versions information.
Configuration and Settings
See the Installation and Configuration Guide which is present on ServiceNow Store page.
Download the App
Note: The following pre-requisite is only applicable for ISIM as an endpoint.
Creating ISIM System user
- Login to ServiceNow as the System Administrator.
- Navigate to User Administration > Users menu and select New.
- In the User ID field, enter ISIM System.
- Check the Active checkbox and click Submit.
- Search the ISIM System User ID.
- Set the Password for the ISIM System user as Verify@2023 user.
- Under the Roles tab, select Edit and assign script_include_admin role. Then, click Save.
Modify sc_request table permission to allow, create and update the request
- Login to ServiceNow as the System Administrator.
- Navigate to Tables. Search table by Request Label and sc_request Name.
- Click the table label.
- Click the Application Access. Enable setting Can create, Can update and Allow Configuration.
- Click Update button to save the modified settings.
Now, download and install the IBM Security Verify Service Desk App from the ServiceNow App Store.
Post Installation Verification
Note: The following pre-requisite is only applicable for ISIM as an endpoint.
The following file must exist in the respective table:
Navigate to ServiceNow dashboard > Search sys_script_include.list. Script ISIMGetLtpa2Token record must exist.
If the script is not created automatically, then, admin user needs to run Fix Scripts.
Follow the provided steps to run Fix Scripts:
- Navigate to ServiceNow dashboard > Search Fix Scripts > Search createGlobalScriptForISIM > Open the record > Click Run Fix Script button > Click Procced.
Create IGI System User
Note: The following procedure is only applicable for IGI as an endpoint.
- Login to ServiceNow as the System Administrator.
- Navigate to User Administration > Users menu and select New.
- In the User ID field, enter IGI System.
- Check the Active and Web service access only checkboxes and click Submit.
- Enter the Password for the IGI System user and click Submit.
- Under the Roles tab, select Edit and assign the following roles and then, click Save:
- import_admin
- import_scheduler
- import_set_loader
- import_transformer
- itil
- web_service_admin
- workflow_publisher
- x_155935_igi.access_hierarchy_user
- x_155935_igi.access_properties_user
- x_155935_igi.access_property_name_mapping_user
- x_155935_igi.access_user
- x_155935_igi.admin
Configure and Test SVG/ISV/ISIM Connection
- Log in as the ServiceNow System Administrator.
- Access System Settings and select Developer, Application: IBM Security Verify Service Desk App, and Show application picker in header.
- In the application picker, select IBM Security Verify Service Desk App and close the Settings window.
- Search to open the Service Portal Home. In the opened screen, go to the top panel and select IT Security Access Services.
- Select Administration. Enter the SVG/ ISV/ ISIM Connection details:
Note: Create an admin user on ISIM endpoint and assign all the privileges default admin user is having. Use this newly created admin for ISIM test connection.
- Endpoint: Select IBM Security Verify Governance or IBM Security Verify or IBM Security Identity Manager option from the drop down.
- Username/ Client Id: Enter the SVG service username or ISV client secret used in Basic Authentication (BA) header while calling IBM Security Verify Governance RESTAPIs or IBM Security Verify RESTAPIs, respectively. For ISIM, enter the ISIM user Id to generate the authentication token.
- Password/ Client Secret: Enter the SVG service account password or ISV client secret provided in the Basic Authentication (BA) header when calling the IBM Security Verify Governance RESTAPIs or IBM Security Verify RESTAPIs, respectively. For ISIM, enter the ISIM user password to generate the authentication token.
- Base URL: Enter the base URL for IBM Security Verify Governance REST API (https://:/igi/v2) or IBM Security Verify REST API (https://<hostname) or IBM Security Identity Manager REST API (https://<hostname).
- Select Save Settings and then click Test Connection.
The following steps are only applicable for IGI:
- When the test connection is completed successfully, set workflow name that is required for access request processing. It is mandatory to select workflow name created for service now app on SVG for access request.
- Click the dropdown to select a workflow and then click Save Workflow. You can also search for workflow name in the search box.
Note: Before upgrading the app, the Administrator must ensure that all the open access requests in the app are processed or closed.
Category for ISV, SVG and ISIM Entitlements
Login to Service Now as System Administrator.
The ISV, SVG and ISIM entitlements can be searched by the following categories in the sc_cat_item.list catalog items table.
- To find ISV entitlements, search for IT Security Verify in the Category column search box.
- To find SVG entitlements, search for IT Security Access in the Category column search box.
- To find ISIM entitlements, search for IT Security Identity in the Category column search box.
Load ISV and ISIM Entitlements
Note: In the Load Entitlement page, entitlements can only be added and updated.
- If the selected endpoint is ISV or ISIM, a new Load Entitlement tab is enabled in the Administrative Settings page.
- To load ISV or ISIM entitlements in ServiceNow, select the Load Entitlements tab. On left-hand side of the page, initially all ISV Entitlements (Roles and Permissions) or ISIM Entitlements (Accesses) are listed. To add or update any entitlement from the list, click the entitlement and then click the Add icon. The entitlement is moved to the other side of the list, which includes all the entitlements that are to be loaded.
- Click Submit to load the selected ISV or ISIM entitlements in ServiceNow.
- The entitlements can be searched from the list using different filters such as name, description, additional information, tags in case of ISIM and application name, entitlement name in case of ISV.
- For ISIM, enter the string in the Search Entitlements text box or select the category name from Select Category drop down to search entitlement based on category. For ISV, enter the string in the Search Entitlements or Search Application text box. If multiple search values are provided, the tool searches all the entitlements that match the criteria.
- Click Search to launch the search. Click the Reset button to clear the search boxes.
Note: Search supports “is contains” match.
Update System Properties
- Login to Service Now as System Administrator.
- Access System Properties then Categories. In the Search drop down menu, select Name and enter IT Security Access Services in the text box.
- Click IT Security Access Services from the list.
- Click the Show/Hide Filter icon and add the condition Display name contains. Enter the property name and then press Enter. See the following table for the list of Property Names.
- Select the property name. Enter the property value in the Value field and click Update.
Property Name | Description | Value |
---|---|---|
igi.sn.ui.deep.link.uri | The IBM Security Verify Governance deep link URI prefix is used in My Recertification (Applies if end point selected as SVG) it will redirect user from ServiceNow to IBM Security Verify Governance Server’s Dashboard. Example Value: https://{svghostname}:{port} | String |
igi.sn.workflow.requestor.igi.system.user | Username for the service account used by the SVG synchronizer Default = ‘IGI System’ user | String |
igi.sn.cryptojs.sharedsecret | Shared secret for Crypto-js encryption/decryption |
Assign User roles
The following table lists the roles available and the functions that are available for each role. All users have access to Request Access for Me and View Your Requests when IGI is the Endpoint.
Role | Role Name | Available Functions |
---|---|---|
Requestor | x_155935_igi.requestor | Request Access for Another User Request Access for Multiple Users |
Approver | x_155935_igi.approver | View your Approvals |
Supervisor | x_155935_igi.supervisor | My Recertifications (for SVG) My Certifications (for ISV) |
Administrator | x_155935_igi.admin | Request Access for Another User Request Access forMultiple Users View Your Approvals My Passwords Manage Accounts Administration |
My Passwords (for SVG and ISIM) | x_155935_igi.my_passwords_access | My Passwords |
Manage Accounts (only for SVG) | x_155935_igi.manage_accounts_access | Manage Accounts |
ISV User (only for ISV) | x_155935_igi.isv_user | To All Users to Access ISV Request Flows |
ISIM User (Only for ISIM) | x_155935_igi.isim_user | To all users to access Request Flows |
Manual Approver (only for SVG) | x_155935_igi.manual_task_approve | Manual Fulfilment |
Note: Manage Accounts related roles are not applicable in case of ISV or ISIM endpoint. User having x_155935_igi.admin should have target specific roles to access Request Flows and Administration Setting functionality. This is applicable for ISIM or ISV as an endpoint.
To assign user roles(s):
- Login as ServiceNow System Administrator.
- Access System Security, Users and Groups, Users.
- Search for the user to whom you wish to assign the roles.
- Under the Roles tab, click Edit.
- In the search box, enter x_ to view the IBM Security Verify Service Desk App roles. See the table for a list of the role names.
- Highlight the role(s) to assign to the user and click the right-arrow icon (Shift-click to select multiple accesses). Use the left-arrow icon to remove roles(s). Click Save.
Note: If the user is an Approver, assign the following additional roles:
- Catalog
- Itil
- Approver_user
Note: If the user is a Requestor or user is requesting for himself when two level approval flow is set, assign the following additional roles:
- itil
Note: If the user is an ISV user, assig the following role:
- x_155935_igi.isv_user
Note: If the user is an ISIM user, assig the following role:
- x_155935_igi.isim_user
Set Approvers
There are two ways to set up the approvers:
- Approver for all access or account request catalog items.
- Approver for per individual catalog item.
Note: See Assign user roles section for additional roles required for Approvers.
Approver for All Catalog Items
To set up an approver for all access or account request catalog items:
- Login as ServiceNow System Administrator.
- Access System Properties and then Categories.
- In the Go to drop down menu, select Name and enter IT Security Access Services in the search box.
- Click IT Security Access Services from the list.
- Click the Show/Hide Filter icon and add the condition Display name contains. Enter the property name and press the Enter key.
Approver for access requests: x_155935_igi.igi.sn.workflow.default.access.request.approver
Approver for account: x_155935_igi.sn.workflow.default.account.request.approver - Enter the User ID or Group that approves the requests in the Value field and then click Update. Use comma (,) to separate multiple User IDs or Groups.
Approver Per Catalog Item
To set up an approver based on the requested catalog item:
- Login as ServiceNow System Administrator
- Access Service Catalog, Catalog Definitions and Maintain Catalogs.
- Select IT Security Access Catalog.
- Under the Catalog Items tab, select the catalog item for which you are setting the approver.
- From the Additional Actions drop down menu, select Configure and then Related Lists.
- Click the Edit this View in Global option.
- From the Available box, select Approved By. Click the right-arrow icon and then Save.
- Select the Approved By tab and then Edit.
- Highlight the role(s) to assign to the user and click the right-arrow icon (Shift-click to select multiple accesses). Use the left-arrow icon to remove roles(s). Click Save.
Enable Entitlement owner as an Approver
The entitlement owner value is pushed into ServiceNow from SVG by SVG-ServiceNow synchronizer and from ISV or ISIM by load-entitlement panel or on request creation.
Follow the provided steps to enable entitlement owner as an approver for that catalog item:
- Login as ServiceNow System Administrator.
- Access System Properties and then Categories.
- In the Go to drop down menu, select Name and enter IT Security Access Services in the search box.
- Click IT Security Access Services from the list.
- Click the Show/Hide Filter icon and add the condition Display name contains. Enter the property name and press the Enter key.
x_155935_igi.igi.sn.workflow.ent.owner.approver - Enter true in the Value field and click Update.
Configure Approval flow
The approval flow, applicable to SVG, ISV and ISIM endpoints, can be configured in the following two ways:
- Single-level approval
- Two-level approval
Note: Two-level approval is not applicable for ISIM endpoint.
Configure Single level Approver
In the Single level approval flow, there are three possibilities for setting the approver.
- The Approver per catalog item set by the admin holds the highest preferences. If it exists, the request is sent to that user for approval. See Set Approvers > Approver Per Catalog Item section for details.
- If the catalog item approver is not set by the admin, the request is sent to the entitlement owner, only if the entitlement owner is enabled as approver in ServiceNow. See Enable Entitlement owner as an Approver section for details.
- If none of the two previous cases apply, the request is forwarded to the default approver(s)/group(s) from the property set by the admin for All catalog items. See Set Approvers > Approver for all Catalog Items section for details.
Configure Two-level Approver
To enable a Two-level Approver, set x_155935_igi.igi.sn.workflow.multi.level.approver property to true.
To set the property, see steps 1 to 4 in Set Approvers section. Then, in step 5 select x_155935_igi.igi.sn.workflow.multi.level.approver and set it to true.
The Two-level approval process requires two approval requests.
- The first level request goes to the manager of the user (Beneficiary/Requestee) for approval. The manager-reporter relationship must be defined on the ServiceNow side.If the user's manager is not defined or is deactivated, the request is sent to the default All catalog items approver(s)/group(s) from the property set by admin.
Note: See Set Approvers > Approver for all Catalog Items section for details. - The second level request goes to the catalog-item approver set by the admin in ServiceNow, where a catalog item-approver relationship exists.
Note: See Set Approvers > Approver Per Catalog Item section for details.
If the catalog item approver is not set by the admin, the request goes to the entitlement owner, if the 'Entitlement owner as approver' property is enabled in ServiceNow.
Note: See Enable Entitlement owner as an Approver section for details.
If none of the two previous cases apply, the request is forwarded to the default approver(s)/group(s) from the property set by the admin for All catalog item.
Note: See Set Approvers > Approver for all Catalog Items section for detail. - If no first level and second level approvers are available and the request is sent to the default approver, the request goes for just one approval step and follows the single-level approver flow, with default approver (Approver for all catalog items) as an approver.
Updated about 1 month ago