How to modify groups in ServiceNow

Owned by David Backeberg (Unlicensed)
Last updated: Dec 06, 2013 by Former user (Deleted)Version comment
3 min read

Abstract

ServiceNow is our new ITSM system. To modify groups within ServiceNow, you need two sets of permissions:

  • Active Directory modify
  • Administrator (or a lesser but equivalent role) with the Service Now instance you need to modify

Technically, you can get away with JUST having Active Directory modify rights, if you're patient enough to let the scheduled job within ServiceNow suck the Active Directory changes into Service Now. Usually you want to immediately know whether your changes applied properly.

Adding/Removing Users to Existing Groups

This is the most common procedure:

  • in the AD, navigate to the group in the ServiceNow OU
  • add/remove users by netid or last, first
  • if team lead status is specified or if this is a removal op:
    • go into SN prod instance as an admin
    • navigate to the appropriate group record (sys_user_group table, or Groups in the application navigator)
    • edit the Team Lead field (list) to add/remove the person as a team lead

General Procedure

  • Modify assignment group to Active Directory in the ServiceNow OU:
    • type=distribution (for assignment groups)
    • type=security (for role groups)
    • group scope=global (default)
    • avoid using commas in names
    • enter the group manager in "managed by"
    • enter any group members
  • If this is a delete or subtractive modification, deactivation and cleanup need to be done manually in SN.(how to do this?)
  • If this is a create or additive modification, the import job needs to run. The SN group import will run every 15 minutes, after which a SN admin must modify the group record:
    • manually enter queue managers into the "Team Leads" list
    • manually tag the group as Tier 1 if appropriate
    • manually add all this group to all roles which are granted by the "ITIL" and "ServiceDesk Analyst" group – currently "itil", "filter_group", "catalog" (this is now done via a business rule called "Update Roles" on the group table)
    • manually edit the list of Provider Services as appropriate
    • manually edit the list of Group Email Aliases for inbound email as appropriate
    • manually edit the list of Service Contracts as appropriate

Making Changes to Active Directory

This can be done in bulk or piecemeal (for small numbers of changes)

Piecemeal changes: Configuring ActiveDirectory using Windows 7 virt for ServiceNow
Bulk changes: Bulk AD Changes

Forcing the Active Directory scheduled job to run immediately

This job runs every 15 minutes. Patience is advised in lieu of forcing the job.

This requires logging into ServiceNow as an administrator rather than as a regular unprivileged user. It is a bad idea to grant privileges to a regular user, but instead, we should create a separate account. Because this is a separate account, without a NetID, we also cannot use the regular CAS-ified front door for ServiceNow.

Instead, we need to go to:

https://yale.service-now.com/side_door.do

and enter the admin credentials.

Then look for Scheduled Imports (you can type 'Scheduled' in the top search box and it will constrain your UI to a usable subset) -> Then find Yale AD / Groups Import

Choose to Run Now on that import.

Then look for Progress Workers.

If you click over there fast enough, the import will be orange and still running. But it runs pretty fast. It will probably be in the history listing, and be colored green.

That's it. If you want to verify, you can choose Groups from the admin console, find the relevant group you modified, and verify the user adds applied properly.