1. Using the ServiceNow Adapter with Oracle Integration 3
  2. Create a ServiceNow Adapter Connection
  3. Prerequisites for Creating a Connection

Prerequisites for Creating a Connection

You must satisfy the following prerequisites to create a ServiceNow Adapter connection.

Prerequisites for Oracle Integration Releases 23.04 or Later

When you create or edit your ServiceNow connection on release 23.04 or later of Oracle Integration, you must satisfy the following prerequisites.

Purchase a Subscription to ServiceNow

When you subscribe, you receive an instance name URL, user name, and password. This information is required for creating a ServiceNow Adapter connection in the Connections page. See Configure Connection Properties and Configure Connection Security.

Satisfy User and Role Requirements

You don't need to be an admin user to use the ServiceNow Adapter in Oracle Integration. If you want to assign an administrative role to a ServiceNow user, you can do so. Otherwise, you can create a custom user, assign the necessary roles, and create an Access Control List (ACL) for granting the necessary access to the following tables.

No matter if the user is an admin or a custom, the necessary permissions/accesses must be granted to the following tables.

Note the following:

  • Ensure that web services are enabled and respective permissions are assigned for the following tables in the ServiceNow instance.

  • Ensure the Integration User has the appropriate role.

  • A ServiceNow user with the default SOAP role (without any customization or changes) is required to configure or use the ServiceNow Adapter.

The applications and modules supported by the adapter are displayed for selection in the user interface when you add access to the following tables:

Permissions Operation
sys_plugins Gets standard applications.
sys_app Gets custom applications.
sys_db_object Gets modules.
sys_ui_section Gets view fields in get operations.
sys_documentation Views the field labels instead of actual field names in the user interface.
sys_package

Fetches standard packages.

Note: This permission is required for both connections (that is, invoke and trigger connections).

sys_ui_element Gets view fields in get operations.
sys_soap_message

For insert/delete of ServiceNow outbound SOAP messages.

Note: This permission is required only for trigger connections.

sys_soap_message_function

For insert ServiceNow outbound SOAP message functions.

Note: This permission is required only for trigger connections.

sys_script

For insert/update/delete of ServiceNow business rules.

Note: This permission is required only for trigger connections.

sys_rest_message

For insert/delete of ServiceNow outbound REST messages.

Note: This permission is required only for trigger connections.

sys_rest_message_fn

For insert ServiceNow outbound REST message functions.

Note: This permission is required only for trigger connections.

sys_rest_message_headers

For insert ServiceNow outbound REST message headers information.

Note: This permission is required only for trigger connections.

Create a Custom User and Assign the Required Permissions

  1. Create a custom role:
    1. Log in to the ServiceNow cloud application (xxx.service-now.com) with administrator credentials.
    2. On the home page, search for Roles in the search box in the left pane, and click Roles under User Administration in the search results.
    3. Click New to create a new role.
    4. Enter the required details and click Submit.
  2. Enable web services for the preceding tables and assign permissions:
    1. Log in to the ServiceNow cloud application (xxx.service-now.com) with administrator credentials.
    2. On the home page, search for tables in the search box in the left pane, and click the Tables link under System Definition in the search results.
    3. Search for each of the ServiceNow tables from the preceding table using the Search box or locate a table using the show/hide filter.
    4. Click the table name or Business Rule (for the trigger role) in the search results.
    5. Locate and click the Application Access tab.
    6. For the invoke role, select the Can read check box (you can refer to the following table for required permissions), and select the Allow access to this table via web services check box if it is not selected already.
      Table Name Permission
      Sys_db_object Read Only
      Sys_plugins Read Only
      Sys_app Read Only
      Sys_ui_section Read Only
      Sys_ui_element Read Only
      Sys_package Read Only
    7. For the trigger role, select the respective permission (refer to the following table for required permissions), and select the Allow access to this table via web services check box if it is not selected already.
      Table Name Permission
      sys_soap_message Create, Update, and Delete
      sys_soap_message_function Create, Update, and Delete
      sys_script Create, Update, and Delete
      sys_rest_message Create, Update, and Delete
      sys_rest_message_fn Create, Update, and Delete
      sys_rest_message_headers Create, Update, and Delete
      sys_db_object Read Only
      sys_plugins Read Only
      sys_app Read Only
      sys_ui_section Read Only
      Sys_ui_element Read Only
      Sys_package Read Only
      sys_documentation

      Read Only

      Note: Assign this permission if you want to view the field labels instead of the actual field names in the list.

      This provides the required access for the table and provides permission to access the table with web services.

  3. Create or modify the access control list to assign permissions for the preceding tables.
    1. Assign the security_admin privileges to the admin user, if they are not assigned already. The admin user must have security_admin privileges to modify the access control lists.
      1. On the Home page, click the lock icon. In case of user interface 16, select the Elevate Roles from the System Administrator drop-down list.
      2. Select the security_admin check box if it is not selected already.
    2. Search for Access Control in the Search box in the left pane and click Access Control (ACL) under System Security.
    3. Create two access control lists for a table (that is, table-level access control and field-level access control) to provide read, create, and write access to any table.
    4. Create the table-level access control list:
      1. Click New.
      2. For the invoke role, select record in the Type field, select read in the Operation field, and select a table name (for example, sys_plugins) in the Name field.
      3. For the trigger role, select record in the Type field, select create in the Operation field, and select a table name (for example, sys_soap_message) in the Name field.
      4. Under the Requires role section, search for the custom role (for example, Integration Specific Role), and click the check mark.
      5. Click Submit.
    5. Provide field-level access control:
      1. Click New.
      2. For the invoke role, select record in the Type field, select read in the Operation field, select a table name (for example, sys_plugins) in the Name field, and select * (asterisk) from the field next to the Name field.
      3. For the trigger role, select record in the Type field, select create in the Operation field, and select a table name (for example, sys_soap_message) in the Name field.
      4. Under the Requires role section, search for the custom role (for example, Integration Specific Role), and click the check mark.
      5. Click Submit.
  4. Similarly, you must create an access control list for the preceding table to provide read, create, write, and delete permissions. If the access control list for a table exists, you can add the custom role under the Requires Role section.
    1. On the home page, search for users in the search box in the left pane and click Users under User Administration in the search results.
    2. Click New to create a new user.
    3. Enter the required values and click Submit.
    4. Search for the user with the user ID to assign roles.
    5. In the Roles section, click Edit.
    6. Search for the custom role (for example, Integration Specific Role), SOAP, ITIL, query_no_domain_table_api, and rest_service roles, and assign them to the user.
    7. Click Save.

Prerequisites for Oracle Integration Releases Earlier Than 23.04

Perform the following prerequisites for Oracle Integration releases earlier than 23.04.

Purchase a Subscription to ServiceNow

When you subscribe, you receive an instance name URL, user name, and password. This information is required for creating a ServiceNow Adapter connection on the Connections page. See Configure Connection Properties and Configure Connection Security.

Satisfy User and Role Requirements

A ServiceNow user with the Admin role or a custom user can use the ServiceNow Adapter in Oracle Integration. You can create a custom user (for example, the Integration User) in ServiceNow that can be assigned a custom role that has access to the table names shown in the following table in ServiceNow.

Note the following:

  • Ensure that web services are enabled and respective permissions are assigned for the following tables in the ServiceNow instance.

  • Ensure the Integration User has the appropriate role.

  • A ServiceNow user with the default SOAP role (without any customization or changes) is required to configure or use the ServiceNow Adapter.

  • The default SOAP role has the following permissions: query, create, update, and delete records on all tables, and execute scripts. While this is verifiable, ServiceNow recommends using the Admin role.

Note:

If a SOAP role has been modified or the SOAP role is not functional, you must follow the ServiceNow recommendations and use the Admin role. If you do not want to assign the Admin role, you can create a custom role, add accesses to the following tables, and assign the default SOAP role to the custom role.
A ServiceNow Adapter connection can be created with minimal access on the tables. However, only the modules supported by the adapter are displayed for selection in the user interface when you add access to the following tables:
Table Name Permission
sys_soap_message

For insert/delete of ServiceNow outbound SOAP messages.

Note: This permission is required only for trigger connections.

sys_soap_message_function

For insert ServiceNow outbound SOAP message functions.

Note: This permission is required only for trigger connections.

sys_script

For insert/update/delete of ServiceNow business rules.

Note: This permission is required only for trigger connections.

sys_db_object

To get modules.

Note: This permission is required for both connections (that is, invoke and trigger connections).

Sys_package

Fetches standard packages.

Note: This permission is required for both connections (that is, invoke and trigger connections).

The applications and modules supported by the adapter are displayed for selection in the user interface when you add access to the following tables:

Permissions Operation

sys_plugins

Gets standard applications.

sys_app

Gets custom applications.

sys_db_object

Gets modules.

sys_ui_section

Gets View fields in Get operations.
sys_documentation Views the field labels instead of actual field names in the user interface.
sys_package Fetches standard packages.

Note: This permission is required for both connections (that is, invoke and trigger connections).

sys_ui_element

Gets View fields in Get operations.

sys_soap_message

For insert/delete of ServiceNow outbound SOAP messages.

Note: This permission is required only for trigger connections.

sys_soap_message_function

For insert ServiceNow outbound SOAP message functions.

Note: This permission is required only for trigger connections.

sys_script

For insert/update/delete of ServiceNow business rules.

Note: This permission is required only for trigger connections.

Create a Custom User and Assign the Required Permissions

  1. Create a custom role:
    1. Log in to the ServiceNow cloud application (xxx.service-now.com) with administrator credentials.
    2. On the home page, search for Roles in the search box in the left pane, and click Roles under User Administration in the search results.
    3. Click New to create a new role.
    4. Enter the required details and click Submit.

  2. Enable web services for the preceding tables and assign permissions:

    1. Log in to the ServiceNow cloud application (xxx.service-now.com) with administrator credentials.

    2. On the home page, search for tables in the search box in the left pane, and click the Tables link under System Definition in the search results.

    3. Search for each of the ServiceNow tables from the preceding table using the Search box or locate a table using the show/hide filter.

    4. Click the table name or Business Rule (for the trigger role) in the search results.

    5. Locate and click the Application Access tab.
    6. For the invoke role, select the Can read check box (you can refer to the following table for required permissions), and select the Allow access to this table via web services check box if it is not selected already.
      Table Name Permission
      Sys_db_object Read Only
      Sys_plugins Read Only
      Sys_app Read Only
      Sys_ui_section Read Only
      Sys_ui_element Read Only
      Sys_package Read Only

      You can refer to the following table for the required permissions when you want to create a ServiceNow Adapter connection with minimal accesses to the tables.

      Table Name Permission
      sys_db_object Read Only
      Sys_package Read Only
    7. For the trigger role, select the respective permission (refer to the following table for required permissions), and select the Allow access to this table via web services check box if it is not selected already.
      Table Name Permission
      sys_soap_message Create, Update, and Delete
      sys_soap_message_function Create, Update, and Delete
      sys_script Create, Update, and Delete
      sys_db_object Read Only
      sys_plugins Read Only
      sys_app Read Only
      sys_ui_section Read Only
      Sys_ui_element Read Only
      Sys_package Read Only
      sys_documentation Read Only

      Note: Assign this permission if you want to view the field labels instead of the actual field names in the list.

      This provides the required access for the table and allows permission to access the table with web services.

      You can refer to the following table for the required permissions when you want to create a ServiceNow Adapter connection with minimal accesses to the tables.
      Table Name Permission
      sys_soap_message Create, Update, and Delete
      sys_soap_message_function Create, Update, and Delete
      sys_script Create, Update, and Delete
      sys_db_object Read Only
      Sys_package Read Only
  3. Create or modify the access control list to assign permissions for the preceding tables.
    1. Assign the security_admin privileges to the admin user, if it is not assigned already. The admin user must have security_admin privileges to modify the access control lists.
      1. On the Home page, click the lock icon. In case of user interface 16, select Elevate Roles from the System Administrator drop-down list.
      2. Select the security_admin check box if it is not selected already.
    2. Search for Access Control in the Search box in the left pane and click Access Control (ACL) under System Security.
    3. Create two access control lists for a table (that is, table-level access control and field-level access control) to provide read, create, and write access to any table.
    4. Create the table-level access control list:
      1. Click New.
      2. For the invoke role, select record in the Type field, select read in the Operation field, and select a table name (for example, sys_plugins) in the Name field.
      3. For the trigger role, select record in the Type field, select create in the Operation field, and select a table name (for example, sys_soap_message) in the Name field.
      4. Under the Requires role section, search for the custom role (for example, Integration Specific Role), and click the check mark.
      5. Click Submit.
    5. Provide field-level access control:
      1. Click New.
      2. For the invoke role, select record in the Type field, select read in the Operation field, select a table name (for example, sys_plugins) in the Name field, and select * (asterisk) from the field next to the Name field.
      3. For the trigger role, select record in the Type field, select create in the Operation field, select a table name (for example, sys_soap_message) in the Name field, and select * (asterisk) from the drop-down list in the field next to the Name field.
      4. Under the Requires role section, search for the custom role (for example, Integration Specific Role), and click the check mark.
      5. Click Submit.
  4. Similarly, you must create an access control list for the preceding table to provide read, create, write, and delete permissions. If the access control list for a table exists, you can add the custom role under the Requires Role section.
    1. On the home page, search for users in the search box in the left pane and click Users under User Administration in the search results.
    2. Click New to create a new user.
    3. Enter the required values and click Submit.
    4. Search for the user with the user ID to assign roles.
    5. In the Roles section, Click Edit.
    6. Search for the custom role (for example, Integration Specific Role), SOAP, and ITIL roles, and assign these roles to the user.
    7. Click Save.

Note:

When you create trigger endpoints using a new connection or an existing connection created prior to release 23.04 of Oracle Integration, you must provide access to the tables: sys_rest_message, sys_rest_message_fn, and sys_rest_message_header.

Prerequisites to Use the Authorization Code Credentials Security Policy and Resource Owner Password Credentials

You can configure the Resource Owner Password Credentials security policy and Authorization Code Credentials security policy to authenticate REST APIs. To use the Authorization Code Credentials security policy, you must perform the following prerequisites.

Note:

The ServiceNow Adapter only supports the Authorization Code Credentials security policy on Oracle Integration release 23.04 or later.

Register an App and Obtain the Client ID and Client Secret

  1. Log in to the ServiceNow cloud application (xxx.service-now.com) with administrator credentials.
  2. On the home page, search for OAUTH in the search box in the left pane, and click Application Registry under System OAuth in the search results.
  3. Click Create an OAuth API endpoint for external clients.
  4. On the Application Registries page, click New.
  5. In the Name field, enter a name for your app.
  6. In the Redirect URL field, enter the redirect URL in the following format: 
    https://{OIC_Host}:{OIC_SSL_PORT}/icsapis/agent/oauth/callback
  7. Click Submit. The system generates the client ID and client secret.
  8. On the Application Registries page, click the application you created.
  9. Copy the client ID and client secret values. You must enter these values on the Connections page when you configure security for your ServiceNow Adapter connection. See Configure Connection Security.

Assign Required Permissions to Tables

Note:

The ServiceNow Adapter only supports the Resource Owner Password Credentials security policy on Oracle Integration Release 23.08 or later.
Permissions Operation
sys_plugins Gets standard applications.
sys_app Gets custom applications.
sys_db_object Gets modules.
sys_documentation Views the field labels, instead of actual field names in the user interface.
sys_package

Fetches standard packages.

Note: This permission is required for both connections (that is, invoke and trigger connections).

sys_script

For insert/update/delete of ServiceNow business rules.

Note: This permission is required only for trigger connections.

sys_rest_message

For insert/delete of ServiceNow outbound REST messages.

Note: This permission is required only for trigger connections.

sys_rest_message_fn

For insert ServiceNow outbound REST message functions.

Note: This permission is required only for trigger connections.

sys_rest_message_headers

For insert ServiceNow outbound REST message headers info.

Note: This permission is required only for trigger connections.