Versions Compared

Old Version 10

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Table of Contents

Abstract

ServiceNow is our new ITSM system. To modify groups within ServiceNow, you need two sets of permissions:

...

Technically, you can get away with JUST having Active Directory modify rights, if you're patient enough to let the scheduled job within ServiceNow suck the Active Directory changes into Service Now. Usually you want to immediately know whether your changes applied properly.

...

Adding/Removing Users to Existing Groups

This is the most common procedure:

  • in the AD, navigate to the group in the ServiceNow OU
  • add/remove users by netid or last, first
  • if team lead status is specified or if this is a removal op:
    • go into SN prod instance as an admin
    • navigate to the appropriate group record (sys_user_group table, or Groups in the application navigator)
    • edit the Team Lead field (list) to add/remove the person as a team lead

General Procedure

  • Modify assignment group to Active Directory in the ServiceNow OU:
    • type=distribution (for assignment groups)
    • type=security (for role groups)
    • group scope=global (default)
    • avoid using commas in names
    • enter the group manager in "managed by"
    • enter any group members
  • If this is a delete or subtractive modification, any removals deactivation and cleanup need to be done manually in SN.(how to do this?)
  • If this is a create or additive modification, the import job needs to run. The SN group import will run at midnightevery 15 minutes, after which a SN admin must modify the group record:
    • manually enter queue managers into the "Team Leads" list
    • manually tag the group as Tier 1 if appropriate
    • manually add all this group to all roles which are granted by the "ITIL" and "ServiceDesk Analyst" group – currently "itil", "filter_group", "catalog" (this is now done via a business rule called "Update Roles" on the group table)
    • manually edit the list of Provider Services as appropriate
    • manually edit the list of Group Email Aliases for inbound email as appropriate
    • manually edit the list of Service Contracts as appropriate

...

Forcing the Active Directory scheduled job to run immediately

Info

This job runs every 15 minutes. Patience is advised in lieu of forcing the job.

This requires logging into ServiceNow as an administrator rather than as a regular unprivileged user. It is a bad idea to grant privileges to a regular user, but instead, we should create a separate account. Because this is a separate account, without a NetID, we also cannot use the regular CAS-ified front door for ServiceNow.

...