> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a ServiceNow connector
> C1 provides identity governance for ServiceNow. Integrate your ServiceNow instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Groups | | |
| Roles | | |
The ServiceNow connector supports [automatic account provisioning](/product/admin/account-provisioning).
This connector does not support full account deprovisioning. You can disable accounts using a connector action, but you must deprovision accounts directly in ServiceNow.
This connector can also be configured to automatically create and update ServiceNow tickets to track manual provisioning assignments. Go to [Configure ServiceNow as an external ticketing provider](/product/admin/external-ticketing#configure-servicenow-as-an-external-ticketing-provider) to learn more.
### Connector actions
Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the [Perform connector action](/product/admin/automations-steps-reference#perform-connector-action) automation step.
| Action name | Additional fields | Description |
| ------------- | ---------------------------- | ------------------------------------------ |
| enable\_user | `user_id` (string, required) | Enables a disabled ServiceNow user account |
| disable\_user | `user_id` (string, required) | Disables an active ServiceNow user account |
## Gather ServiceNow credentials
Configuring the connector requires you to pass in credentials generated in ServiceNow. Gather these credentials before you move on.
You'll need your ServiceNow deployment, which is found in the URL of your ServiceNow instance. For example, if your URL is [https://example12345.service-now.com](https://example12345.service-now.com), your deployment ID is **example12345**.
You'll also need the username and password for a user who has either the **Admin** role in ServiceNow or an [access control list](https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/contextual-security/concept/exploring-access-control-list.html) able to access the following ServiceNow tables:
* `sys_user` - Users
* `sys_user_role` - Roles
* `sys_user_group` - Groups
* `sys_user_grmember` - Group membership
* `sys_user_has_role` - User roles
* `sys_group_has_role` - Group roles
### Credentials and configuration for external ticketing
If you're [configuring ServiceNow as an external ticketing provider](/product/admin/external-ticketing#configure-servicenow-as-an-external-ticketing-provider), follow these additional steps.
#### Configure permissions needed for the ServiceNow table API
In the ServiceNow admin portal, navigate to **All** > **Access Analyzer**.
Fill out the form as follows:
* **Analyze by**: User
* **Select user**: choose the user you're using for the C1 integration (with the access control list permissions defined above)
* **Rule type**: Table (record)
* **Select table**: Choice
Click **Analyze permissions**.
Look for the `read` permission in the **Operation** column. Check the **Overall Access** for that permission.
If access is blocked for a permission, click the permission's name.
View the necessary roles under **Required ACL Roles** and assign any missing roles to your user by following the instructions in the **Assign user roles** section below.
Repeat steps 2 through 6 to add the **Tag** and **Label Entry** tables. Each of these tables needs the `read`, `write`, and `create` permissions. Here's a table summarizing all the required permissions:
| Table | Permissions needed | Reason |
| :-------------------------- | :------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Choice (`sys_choice`) | Read | Used to configure request state mappings in your external provisioner config. We monitor the ServiceNow request for this state so we can close the task in C1 accordingly. |
| Tag (`label`) | Create, read, write | Used to create a tag with the provided label in your provisioner config to help you filter requests made by C1. |
| Label Entry (`label_entry`) | Create, read, write | Used to tag requests with the provided label in your provisioner config to help you filter requests made by C1. |
**Note:** The `label_entry` table has **write** ACLs for the `table` and `table_key` fields. This configuration can be changed
by an admin. If this can’t be done, we can still make the ServiceNow request, but will not be able to add a tag. For
instructions on how to change the ACLs, see the **Change the `label_entry` table ACLs** section below.
#### Configure permissions needed for the ServiceNow service catalog API
In the ServiceNow admin portal, navigate to **All** > **Access Analyzer**.
Fill out the form as follows:
* **Analyze by**: User
* **Select user**: choose the user you're using for the C1 integration (with the access control list permissions defined above)
* **Rule type**: REST endpoints
* **REST endpoint**: `/api/sn_sc/servicecatalog/items`
* **REST endpoint method**: GET
Click **Analyze permissions**.
Confirm that the operation executed successfully. If not, click the link under **Operation**.
View the necessary roles under **Required ACL Roles** and assign any missing roles to your user by following the instructions in the **Assigning user roles** section below.
Repeat steps 2 through 5 to add the three additional endpoints and methods shown in the table below, subbing in a valid catalog ID for the \ parameter.
| API endpoint | REST method | Reason |
| :------------------------------------------------------------ | :---------- | :--------------------------------------------------------------------------------- |
| `/api/sn_sc/servicecatalog/items` | GET | Used to sync your catalog items to C1. |
| `/api/sn_sc/servicecatalog/items/` | GET | Used to fetch the catalog item configured for your C1 external ticket provisioner. |
| `/api/sn_sc/servicecatalog/items//variables` | GET | Used to get the variables required to make a ServiceNow request. |
| `/api/sn_sc/servicecatalog/items//order_now` | POST | Used to create the ServiceNow request. |
#### Assign user roles
Follow these steps if you need to assign missing user roles to the user you'll use for the C1 integration.
In the ServiceNow admin portal, navigate to **All** > **System Security** > **Users and Groups** > **Users**.
Search for your user and click the **User ID** link.
Find the **Roles** section and click **Edit**.
Search for the role and click the **>** to add it to the user's roles list.
Click **Save**.
Repeat these steps as necessary to add additional roles.
#### Change the `label_entry` table ACLs
Follow these steps if you need to update the `label_entry` table ACLs.
In the ServiceNow admin portal, navigate to your profile icon and click **Elevate Role**.
Click the **Security Admin** checkbox and click **Update**.
Navigate to **All** > **System Security** > **Access Control (ACL)**.
Search for **label\_entry.table** and click the **write** operation.
Uncheck the **Active** checkbox and click **Update**.
Repeat steps 4 and 5 to update **label\_entry.table\_key**.
#### Change the `sys_choice.*` table ACLs
Follow these steps if you need to update the `sys_choice` table ACLs.
In the ServiceNow admin portal, navigate to your profile icon and click **Elevate Role**.
Click the **Security Admin** checkbox and click **Update**.
Navigate to **All** > **System Security** > **Access Control (ACL)**.
Search for **sys\_choice.read** and click the **read** operation.
In the **Conditions** section of the page, find the **Role** table and double-click **Insert a new row**.
Add a role that is already assigned to your user.
**Done.** Next, move on to the connector configuration instructions.
## Configure the ServiceNow connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of ServiceNow credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **ServiceNow** and click **Add**.
Choose how to set up the new ServiceNow connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
**Optional.** In the **Allowed emails domains** field, enter the email domain or domains (such as `acme.com` and `contractors.acme.com`) associated with the accounts that you want C1 to sync.
To add multiple allowed domains, press **Enter** between each domain.
If you leave this field blank, C1 will sync all accounts in your ServiceNow instance, regardless of the email domain associated with the account.
**Optional.** In the **Custom user attributes** field, enter the names of any custom user attribute fields you want C1 to sync from ServiceNow. These are fields that start with `u_` in ServiceNow, such as `u_type`.
To add multiple attributes, press **Enter** between each field name.
Synced custom attributes are included in user profiles in C1 and can be used to filter groups by attribute values.
In the **Deployment** field, enter the ServiceNow deployment ID.
In the **Password** and **Username** fields, enter the credentials for your ServiceNow account.
The user whose credentials you enter must have either the **Admin** role in ServiceNow or an [access control list](https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/contextual-security/concept/exploring-access-control-list.html) able to access the following ServiceNow tables:
* `sys_user` - Users
* `sys_user_role` - Roles
* `sys_user_group` - Groups
* `sys_user_grmember` - Group membership
* `sys_user_has_role` - User roles
* `sys_group_has_role` - Group roles
**Optional.** If you want to automatically create ServiceNow tickets to track provisioning tasks, click to **Enable external ticket processing**. [Read more about external ticketing system integrations here.](/product/admin/external-ticketing)
If you enable this option, you can add a **Catalog ID** or **Category ID** in the relevant fields to filter down catalog items. These fields are optional, but C1 only syncs 100 catalog items, so filtering is recommended.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your ServiceNow connector is now pulling access data into C1.
**Follow these instructions to use the ServiceNow connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-servicenow): For stable binaries (Windows/Linux/macOS) and container images.
* [GitHub repository](https://github.com/conductorone/baton-servicenow): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new ServiceNow connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new ServiceNow connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your ServiceNow connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-servicenow-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-servicenow-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# ServiceNow credentials
BATON_DEPLOYMENT:
BATON_PASSWORD:
BATON_USERNAME:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
# Optional: include if you want to limit account syncing to only accounts associated with an email domain listed here
# Note: include each allowed domain as a separate entry
BATON_ALLOWED_DOMAINS:
BATON_ALLOWED_DOMAINS:
# Optional: include if you want to sync custom user attribute fields (fields starting with u_)
# Note: include each attribute as a separate entry
BATON_CUSTOM_USER_FIELDS:
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-servicenow.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-servicenow
labels:
app: baton-servicenow
spec:
selector:
matchLabels:
app: baton-servicenow
template:
metadata:
labels:
app: baton-servicenow
baton: true
baton-app: servicenow
spec:
containers:
- name: baton-servicenow
image: ghcr.io/conductorone/baton-servicenow:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-servicenow
envFrom:
- secretRef:
name: baton-servicenow-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the ServiceNow connector to. ServiceNow data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your ServiceNow connector is now pulling access data into C1.