ServiceNow Connection
Data Connection Setup
There are three steps to set up a ServiceNow data connection:
Let's look at these in detail.
Configure a user with sufficient permissions in ServiceNow.
In order to extract data from ServiceNow the Celonis Extractor requires a user with sufficient permissions. The following permissions are required:
the role soap_query
the role rest_service
access to the table sys_db_object
access to each table which should be extracted
Important
You need to be logged in as a user with elevated privileges because you need to modify access control lists (ACL).
Create a new role.
In order to assign the correct access right to the user used for the Celonis extraction, we recommend creating a new role in the user administration section, e.g. z_celonis_extract as shown in the screenshot to the left.
Create a new user and assign the required roles.
We recommend creating a new user for the data extraction. You need to assign the following roles to this user:
soap_query
rest_service
the role created in step 1a, e.g. z_celonis_extract
Elevate privileges of your user.
In order to modify access control for the newly created Celonis role you need to elevate your privileges. You find this option when clicking on your user name in the top bar (see screenshot). This will be only temporary and can be revoked after the next steps are completed.
Allow access to the table sys_db_object.
With the elevated role you can open access control lists (ACL). Here you need to create a new ACL with the following attributes:
Operation: read
Active: true
Name: Table [sys_db_object]
Field (Column): *
Required roles: the role created in step 1a, e.g. z_celonis_extract
Settings that take an asterisk (*) are dependent on their ServiceNow permission settings. If you experience problems, change * to None.
No other conditions should be necessary. For further information, consult the ServiceNow access control list rules.
Allow access to all the tables which should be extracted.
With the elevated role you can open access control lists (ACL). Here you need to create a new ACL with the following attributes:
Operation: read
Active: true
Name: the name of the table
Field (Column): table.* (all fields selected)
Required roles: the role created in step 1a, e.g. z_celonis_extract
Settings that take an asterisk (*) are dependent on their ServiceNow permission settings. If you experience problems, change * to None.
No other conditions should be necessary. For further information, consult the ServiceNow access control list rules.
This step has to be repeated for all required tables.
For every table, an additional ACL with the following attributes shall be created:
Operation: read
Active: true
Name: the name of the table
Field (Column): --None--
Required roles: the role created in step 1a, e.g. z_celonis_extract
Allowlist EMS IP addresses.
Note
Follow this step only if your system is IP-blocked.
If your system is only reachable within a certain IP range, you need to allowlist the outbound IPs of the EMS, otherwise data cannot be extracted. The IPs of the EMS are different depending on the cluster (eu-1 or us-1). For the list of clusters and their IP addresses, see Allowlisting Celonis IP addresses.
Create a Data Connection in a Data Pool.
Enter the name of the new ServiceNow connection and then enter the following:
User: The user name of the user connecting with the ServiceNow system.
Password: The password of the user connecting with the ServiceNow system.
Tenant: The realm of your ServiceNow instance. The realm can be found by looking at the system URL. In this URL: https://mycompany.service-now.com for example "mycompany" would be the realm.
Data Extraction
Authentication
In order to connect to your ServiceNow system, you can choose between basic authentication (user name, password) and OAuth. The OAuth flow is a more secure way to transfer data from a client system to the EMS, because you do only need to include the client username and password in the first request, and then never again.
In order to authenticate via OAuth, you need to register Celonis as an application that has access to your account. Please follow the information on this page:
As Redirect URL please use the following: https://auth.redirect.celonis.cloud/service-now_redirect
When setting up the data connection you also have the option to authenticate via OAuth, using the credentials you've defined in the OAuth client application.
Data Access
The Celonis connector performs read-only operations on your ServiceNow data. No writing changes (like updates, deletions) will be performed at any time during the extraction process.
Source System Impact
None of our customers have ever experienced performance issues through the ServiceNow connector in any way.
Security
Transfer of the data from the ServiceNow system to the target system is secured through HTTPS via TLS 1.2, which allows for an encrypted exchange of information.
Duration
Depending on the amount of data in your ServiceNow source system, the data extraction can take several hours.
Filters
Not all filter combinations with AND and OR are possible. Please follow the guidelines below:
These filters are possible
A AND B, example: sys_created_on > '2011-09-14' AND sys_updated_by = 'system' A OR B, example: sys_created_on > '2011-09-14' OR sys_updated_by = 'system' (A AND B) AND C, example: (sys_created_on > '2011-09-14' AND sys_updated_by = 'system') AND sys_updated_on > '2018-12-05' (A OR B) OR C, example: (sys_created_on > '2011-09-14' OR sys_updated_by = 'system') OR sys_updated_on > '2018-12-05' A OR (B AND C), example: sys_updated_by = 'system' OR (sys_created_on > '2011-09-14' AND sys_updated_on > '2018-12-05')
If you would like to specify a filter like this
Impossible filter
A AND (B OR C), example: sys_updated_by = 'system' AND (sys_created_on > '2011-09-14' OR sys_updated_on > '2018-12-05')
it does not work in ServiceNow. However, you can use this logical equivalent instead:
Working filter
(A AND B) OR (A AND C), example: (sys_updated_by = 'system' AND sys_created_on > '2011-09-14') OR (sys_updated_by = 'system' AND sys_updated_on > '2018-12-05')