We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

AD Admin Account Provisioning through ServiceNow Catalog item

kumarvadlamudi
New Contributor III
New Contributor III

We are having 2 types of Identities Employees and Contractors as Source of Truth from HR and ServiceNow. Provisioning of these user identities is happening in AD based on Birthright rules.

Requirement:

Create ADMIN Accounts in Active Directory based on a Catalog item in ServiceNow.

We are working in a an approach to get the Catalog requests submitted from a ServiceNow table through a API call and Save them as accounts in saviynt.  Can we create the ADMIN accounts in AD and tag them to the User Identity.

If you have any questions please let me know.

Also, please help with a alternate solution to provision AD Admin accounts through a ServiceNow catalog requests and tag them to the user Identity.

4 REPLIES 4

nimitdave
Saviynt Employee
Saviynt Employee

You can have a sperate endpoints as AD-admin and use the saviynt createRequest REST api to submit a request. Have a workflow attached which has a check for endpoint name or key to auto approve such requests. This will help to generate the provisioning tasks for such requests without going for approval. 

SinghAtul
Regular Contributor
Regular Contributor

@nimitdave 

We worked on the approach suggested by you.

We have an Auto Approval Workflow attached to the Security System(Active Directory).

We are importing the Servicenow catalog items as accounts and calling the Saviynt createAccountRequest API. For now we are just importing a single catalog item from Servicenow by specifying the 'id' in url.

The account(catalog item) is getting imported successfully but the create New Account task is not getting generated for some reason. 

Below is the ImportAccountEntJson we are using:

{
"accountParams": {
"connection": "snowAuth",
"processingType": "SequentialAndIterative",
"successResponses": {
"statusCode": [
200
]
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://xxxxx.service-now.com/api/now/table/u_adm_accounts_management/023fe9441b544dd08dc80e5fe54bcb...",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
},
"httpMethod": "GET"
},
"listField": "result",
"keyField": "accountID",
"statusConfig": {
"active": "Active",
"inactive": "Inactive"
},
"colsToPropsMap": {
"accountID": "u_employee_id~#~char",
"name": "u_employee_name~#~char",
"displayname": "u_employee_name~#~char",
"status": "u_status~#~char",
"customproperty1": "u_adm_id~#~char",
"customproperty2": "u_source~#~char",
"customproperty3": "u_require_azure_ad_access~#~char",
"customproperty4": "sys_id~#~char",
"customproperty5": "sys_updated_by~#~char",
"customproperty6": "u_manager~#~char",
"customproperty7": "sys_created_by~#~char",
"customproperty8": "u_review_date~#~char"
}
},
"call2": {
"connection": "ssmAuth",
"callOrder": 1,
"stageNumber": 3,
"http": {
"url": "https://xxxxxx.saviyntcloud.com/ECM/api/v5/createrequest",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
},
"unsuccessResponses": {
"statusCode": [400, 403, 401, 404, 409, 501, 500]
},
"httpMethod": "POST",
"httpParams": "{\"requesttype\": \"NEW\",\"username\": \"${'c'+(account.accountID)}\",\"endpoint\": \"Active Directory\",\"securitysystem\": \"Active Directory\",\"comments\": \"AD admin account request\",\"accountname\": \"${account.customproperty1}\",\"requestor\": \"${account.customproperty7}\",\"checksod\": \"true\"}"
},
"inputParams": {
"dependentCall": true
}
}
}
},
"entitlementParams": {},
"acctEntParams": {}
}

 

Can you please help us out? We are not able to figure out what's wrong with the above Json.

We are able to create New Account Tasks by calling the CreateNewAccountRequest Saviynt API from Postman but through Saviynt ImportAccntEntJson it's not working.

Even with hardcoded values as below it's not working and New Account task is not getting generated.

"httpParams": "{\"requesttype\": \"NEW\",\"username\": \"c056155\",\"endpoint\": \"Active Directory\",\"securitysystem\": \"Active Directory\",\"comments\": \"AD admin account request\",\"accountname\": \"adm056155\",\"requestor\": \"a423767\",\"checksod\": \"true\"}"

Please guide. Are we doing it correctly?. Can the Saviynt APIs be called this way in ImportAccountEntJsons?. Or is this not supported that's why it isn't working?.

Thanks.

SinghAtul
Regular Contributor
Regular Contributor

@nimitdave 

Hi Nimit,

Can you please confirm that is this the right approach?. When you said submit request through createRequest API..did you mean to include this API call in the ImportAccountEntJson..or somewhere else?. 

Please guide. We are stuck with this since weeks. The second call(The Saviynt API call) is not at all being called. We cannot see this call being made in the logs. The call1 (for Service Now Account) is being made and is success.

The job shows status as Success. Even though the call2 is not being called.

nimitdave
Saviynt Employee
Saviynt Employee

@kumarvadlamudi @SinghAtul PFB the approach:

1. end user/ad admin come to service now portal and submits a request for AD Account creation.

2. Request goes through approval in service now as per workflow defined and is then approved.

3. Service now invoke createrequest saviynt rest api to create a request in saviynt eic for an endpoint say AD Admins and passed RITM number as comments.

4. Now in saviynt eic request is auto approved as per the attached workflow in the security system AD Admin for endpoint AD Admin.

5. Create Account task is created and provisioning using a AD Admin connection.

6. Service now has a scheduled task/job to keep pulling the status of the tasks created for service now request number as per RITM details stores in task comments.

No need to use import account json to import data from service now to saviynt.

You should only have import from AD target system to AD Admins endpoint in saviynt EIC to validate the create request does not allow duplicate request for already existing accounts or with same accountname.