Configure a ServiceNow instance for CDC

This document describes how to configure your ServiceNow instance for use with Datastream. To establish a connection, you can authenticate using either basic authentication or the OAuth 2.0 client credentials flow.

Before you begin

Before you start configuring ServiceNow for use with Datastream, ensure that you have:

An active ServiceNow instance, for example, company.service-now.com.
Administrator privileges on the ServiceNow instance to create users, assign roles, and manage the OAuth Application Registry.
Knowledge of your ServiceNow instance version.

Configure an integration user

In ServiceNow, you can either create a new user or adjust the settings for an existing account to allow Datastream access. For security and auditing purposes, we highly recommend that you create a dedicated integration user.

In ServiceNow, navigate to User Administration > Users.
To create a new user, click New. To edit an existing user, search for the User ID in the user list and click it to open the record.
Configure user details:
- Enter a unique name in the User ID field, for example, datastream_integration. You set the user identifier only for new users.
- If you select OAuth authentication for the connector, we recommend that you enter values in the First name and Last name fields to better identify the user record.
- Identity configuration: based on your ServiceNow platform version:
  - Xanadu and later: select Machine in the Identity type drop-down. This automatically enables Web service access only.
  - Pre-Xanadu: select the Web service access only checkbox.
Save the record:
- For new users, click Submit.
- For existing users, click Update.
If you created a new user, reopen the record. Find the user in the list and click their User ID to access the record options.
Set password:
1. Click Set Password in the form header.
2. Enter a strong password and click Save Password.
3. If you use basic authentication for the connector, take note of the password because it's required when configuring the connection profile.
Assign permissions. You must grant the integration user read access to all tables that you want to replicate. Additionally, the connector requires explicit read permissions for the sys_db_object, sys_table_rotation and sys_dictionary system metadata tables.

Optional: Configure OAuth 2.0 client credentials

OAuth 2.0 is the most secure and recommended authentication method for using the ServiceNow connector with Datastream. It uses a Client ID and Client secret instead of a permanent password.

Activate the OAuth 2.0 plugin for your instance. For more information, see the ServiceNow documentation.
Make sure that the com.snc.platform.security.oauth.is.active system property is set to true. For more information, see the ServiceNow documentation.
Make sure that the glide.oauth.inbound.client.credential.grant_type.enabled system property is set to true. For more information, see the ServiceNow documentation.
Set up inbound OAuth configuration. Depending on your instance security requirements, you can select one of the following OAuth configuration scopes:
- Broadly scoped: when using broadly scoped OAuth, the token bearer inherits the associated user roles and access control lists (ACLs).
- Granular REST API auth scoped: this type of OAuth configuration restricts to specific REST APIs and methods permitted by the scope in addition to associated user roles and ACLs.
Create the OAuth integration record. For more information, see the ServiceNow documentation:
- For Zurich platform version and later
- For pre-Zurich platform versions
After you create the OAuth integration record, the configuration depends on the platform version and OAuth scope:
- Broadly scoped configuration:
  - Zurich and later: in the Auth scope section for your integration record, make sure that there aren't any entries in the Auth scope or Limit authorization to the following APIs fields, and that the Allow access only to APIs in selected scope checkbox isn't selected.
  - Pre-Zurich: in the Scope restriction drop-down, select Broadly scoped and leave the Auth scopes list empty.
- Granular REST API Auth scoped configuration: optionally, use auth scopes to further limit the token bearer to specific REST APIs and methods permitted by the scope. The Datastream connector only requires GET access to the Table API. Depending on the platform version, perform the following steps:
  - Zurich and later: in the Auth scope section for your integration record, select an authorization scope and limit its access to the Table API.
    
    Note: If you create the authorization scope when editing your integration record, the scope has access to all API methods of the Table API by default. To further limit access to the GET method only, you must manually edit the newly created record by navigating to System Web Services > API Auth Scopes > REST API Auth Scope.
  - Pre-Zurich:
    1. Restrict access to the Table API for the selected authorization scope. For more information, see the ServiceNow documentation.
    2. Add the scope under the Auth Scopes section.
    3. Select Securely scoped in the Scope Restriction box.

Optional: Configure IP address access control

If your ServiceNow instance uses IP Address Access Control, you must explicitly allowlist Datastream IP addresses.

The following steps are only required if you have an IP address access control DENY rule that covers Datastream IP addresses. By default, there are no IP restrictions on access to the instance.

In ServiceNow, navigate to System Security > IP Address Access Control.
Click New.
In the record creation form, apply the following settings:
1. In the Type drop-down, select Allow.
2. In the Direction drop-down, select Inbound.
3. In the Range start and Range end fields, enter the specific IP address or range of addresses from the list of Datastream IP addresses.
4. Make sure that the Active checkbox is selected.
Click Submit.
Repeat the previous steps for every IP address in the list of Datastream addresses.

What's next

Learn more about the ServiceNow source.