Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
To set up the ServiceNow CMDB integration, you need to provide the hostname of your ServiceNow instance and valid credentials. The connector supports both Basic Authentication and OAuth 2.0 as authentication options for read only access. Basic Authentication requires username and password to connect, and OAuth 2.0 is based on granting client credentials.
Note
The ServiceNow connector supports Basic Authentication and OAuth 2.0 (client credentials grant). We recommend creating a dedicated user for use with data connectors in Exposure Management with least-privilege (cmdb_read) role assignment.
Configure ServiceNow with Basic Authentication
- Find the hostname of your ServiceNow instance. For example, "contoso.service-now.com".
- Create a New ServiceNow user:
- Follow the steps here to create a new user.
- Keep the username (User Id) and password you provided for future use.
- If there’s no password field, submit the form to create the user. Afterwards, when you select on the new user, you receive the Set Password option.
- As you create the user, check the Web service access only box such that the user will be of dedicated use only for this integration.
- Assign a cmdb_read role to the user you have created. Detailed instructions can be found here.
Configure OAuth 2.0 authentication (client credentials flow)
Use OAuth 2.0 client credentials to avoid storing a long‑lived password and to align with modern authentication standards.
Prerequisites
- Create (or identify) a ServiceNow user with at minimum the cmdb_read role. For detailed instructions on creating a ServiceNow user and assigning roles, see the Configure ServiceNow with Basic Authentication section. We recommend a dedicated integration user; admin is only required temporarily if needed to install plugins.
- Verify these plugins are installed (navigate to
sys_plugins.list):- OAuth 2.0 (
com.snc.platform.security.oauth) - REST API Provider (
com.glide.rest) - Authentication scope (
com.glide.auth.scope) - REST API Auth Scope Plugin (
com.glide.rest.auth.scope)
- OAuth 2.0 (
- Enable the client credentials grant:
- Navigate to
sys_properties.list - Property name:
glide.oauth.inbound.client.credential.grant_type.enabled - Value:
true - This property toggles support for the client credentials flow.
- Navigate to
Create the OAuth client (Application Registry)
- Go to: System OAuth -> Application Registry.
- Select: Create an OAuth API endpoint for external clients.
- Fill mandatory fields (Name, etc.). Leave Redirect URL and Login URL blank (not used for client credentials).
- Ensure Public Client remains unchecked (must be a confidential client).
- Save the record.
- In the Application Registries list view, customize the view (gear icon) to add the "OAuth Application User" column.
- Set the OAuth Application User to the dedicated integration user (the token will assume this user's roles).
- Open the record to copy the Client ID and generate/view the Client Secret.
Token endpoint and grant details
- Token URL format:
https://<your-instance>.service-now.com/oauth_token.do - Grant type:
client_credentials - No redirect or authorization code is involved.
- Scopes: Not typically required; access is determined by the roles of the OAuth Application User.
- Required role on the integration user:
cmdb_read(plus any additional roles needed for specific CI access, if applicable).
Differences vs Basic Authentication
- Credentials rotate easily (regenerate client secret without changing the integration user password).
- Authentication is scoped to the roles of the OAuth Application User.
- Rate limits and data scope are unchanged; ensure a dedicated user to avoid API contention.
- No interactive login or redirect URLs are required.
Troubleshooting OAuth
| Issue | Action |
|---|---|
| 401 Unauthorized | Confirm client ID/secret are correct; verify OAuth Application User is set; ensure cmdb_read role assigned; confirm property glide.oauth.inbound.client.credential.grant_type.enabled = true. |
| 403 Forbidden | User lacks required CMDB read role; add cmdb_read. |
| Invalid client | Regenerate client secret; verify you used "OAuth API endpoint for external clients". |
| Token endpoint failure | Verify plugins installed; confirm instance hostname correctness. |
| Empty or missing CMDB data | Validate the integration user can view CIs in the CMDB directly; check roles. |
For more background on ServiceNow OAuth, see ServiceNow documentation.
Establish ServiceNow connection in Exposure Management
To establish a connection with ServiceNow in Exposure Management, follow these steps:
- Open the Data Connectors from the Exposure Management navigation and select Connect in the ServiceNow CMDB tile.
- Choose your authentication method and enter the required information:
- For Basic Authentication: Enter your ServiceNow instance hostname and the username and password created in the Basic Authentication configuration.
- For OAuth 2.0: Choose the OAuth 2.0 authentication option and enter your instance hostname, Client ID, and Client Secret created in the OAuth configuration.
- Select Connect. The system will authenticate using your chosen method and retrieve CMDB data.
Retrieved data
Exposure Management currently retrieves data on devices, their business application association, and business criticality. Additional data is also retrieved that helps identify the device, such as network adapter information and OS data.
The following fields are ingested via the connector:
| Category | Properties |
|---|---|
| Devices | - os - osVersion - osServicePack - cpuType - category - assetTag - virtual - serviceNowCriticality - usedFor - networkAdapters (see details below) - lastLoggedOnUser - mostFrequentUser - sysClassName - uPrimaryBusinessApplication (see details below) |
| Network Adapter | - name - sysId - macAddress - ipAddress - ipDefaultGateway |
| Business Application | - sysId - number - uCriticality - businessCriticality |
Troubleshooting the connector
Here are some common issues that might arise when configuring the ServiceNow Connector, and suggestions for how to resolve them.
| Error Type | Troubleshooting Action |
|---|---|
| 'The remote server name couldn't be resolved' error message | Verify ServiceNow Instance hostname. Learn more about authentication to ServiceNow here: Authentication (servicenow.com) |
| Error code 401: Authorization failure | An authorization failure indicates that credentials might not be correct, or there might not be sufficient permissions to access the ServiceNow data. Check your credentials and make sure they are correct and valid. Also check that your credentials have the required permissions. See the Configure ServiceNow with Basic Authentication section for details on how to ensure the cmdb_read role is assigned. Another possible reason for this failure is the that your ServiceNow instance is configured to accept connections only from a limited range of IP addresses. In this case, see the guidance for adding the right set of IPs to your allowlist here: Allowlist IP addresses |
| Error code 403: Access forbidden error | This error indicates that the provided credentials lack the necessary permissions to run the requested APIs. Update your credentials with the proper permissions as described in the Configure ServiceNow with Basic Authentication section, and make sure they have at minimum cmdb_read role assigned. |
| Error code 404: Not found error | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your ServiceNow Instance hostname is correct. |
| Error code 429 'Too many requests" | The system periodically pulls data from the configured external providers, which might have a limit on the number of concurrent requests. We recommend creating a dedicated user or account for the connector to avoid reaching this limit. |
| Bad URL error message | This error indicates that the requested endpoint wasn't found to be reachable. Verify that your ServiceNow Instance hostname is correct. |
| 'Temporary disconnected' or 'Temporary failure' error | In the case where this error message appears without any additional information, verify the connector configuration (hostname and credentials). If these are valid and the issue does not resolve on its own, contact Support. |
| Not seeing some ServiceNow CMDB CIs or assets in the ingested data | See Retrieved data for a description of the data expected to be retrieved by the ServiceNow CMDB connector. If there's still missing data, contact Support. |
| Not seeing any data ingested from ServiceNow CMDB | Review your connection status to ensure there are no errors. Validate that there are valid entries in your ServiceNow CMDB that correspond with the data we are retrieving. Run the sample Advanced Hunting query to check if any ServiceNow assets can be found in the Exposure Graph tables.If you are still unable to find your ServiceNow CMDB data, contact Support. |
| ServiceNow allowed IPs need to be configured to enable Exposure Management connectors to access ServiceNow | Read how to add the set of IPs to add to your allowlist here: Allowlist IP addresses |
Next steps
After configuring the ServiceNow data connector:
- Review your attack surface map to see ServiceNow data
- Explore security recommendations
- Set up security initiatives to track remediation progress