Enabling Quality Clouds to scan ServiceNow instances
Following are the necessary requirements to allow scans:
- Ensure that the instance IP and port are accessible from the Internet.
- Enable WebService access to the package table (
- The user configured to run the scan must use local authentication mode.
- The user configured to run the scan must have read access to the tables listed here.
To connect your instance, follow the full procedure.
Decide on Admin vs non-Admin access
Quality Clouds uses the REST API to connect to and scan the code and configuration of your ServiceNow instance. This means that a valid username / password must be configured in Quality Clouds in order for the scan to execute successfully.
The first decision to make is whether you will grant the admin role to the user which Quality Clouds will use to connect to your instance. Bear in mind that the snc_read_only role can (and should) also be assigned to this user, which makes all access read-only. Also, this user can be a Web-service-only user, so it will not be possible to log into the ServiceNow UI with that user.
If you are not comfortable with granting the admin role, it is also possible to use a Quality Clouds specific role. The creation of this role, and of the ACLs which grant read only access on the required tables to the role, are available as an Update Set which you can install in your instance.
In order to help you make the decision which is right for you, the below table summarizes the key differences between each approach.
In general, using a read-only admin role user is the preferred option, as it allows customers to ignore the Delta Update Sets and automatically enjoy all the new functionality provided by Quality Clouds releases.
|Admin Role||Non-admin Role|
|Configuration Frequency||One time only - Initial setup|
Delta Update set needs to be applied whenever Quality Clouds includes additional tables to scan.
Typically once a month.
|Read-only visibility to||All tables||Only tables required by Quality Clouds.|
|Quality Clouds rule coverage||Full||99% - The Best Practices "Modules pointing to big tables without filters" and "Custom Tables with no records" can not be guaranteed to work unless additional roles are granted.|
If you decide to use a read-only admin user, simply enter the credentials for the user on the Instance Configuration page on the Quality Clouds scan web site, as described on the page Set up your QC Environment for ServiceNow. Note that you will also have to ensure that the requirements on points 1, 2 and 3 below are satisfied.
If you decide to use a non-admin user, follow the instructions on this page to retrieve and apply the relevant update sets.
Once the decision to go with an admin user or not has been made, there are three additional checks which need to be completed on your instance:
For ServiceNow instances with SSO system
Make sure that the user to be launching scans in Quality Clouds uses local authentication and is able to use the REST API.
1.- Allow web services access
Enable your ServiceNow instances to accept Quality Clouds scans performed via REST API calls by allowing your
sys_package table to accept web services.The access has to be granted after each ServiceNow upgrade as it resets the setting.
- Log in to your ServiceNow as an administrator.
- In the System Definition > Tables select the
- Check the Can read and the Allow access to this table via web services checkboxes.
Note that this flag is re-set on every upgrade, so this configuration change needs to be re-applied after each instance upgrade.
2.- Grant IP address access
For instances with IP restrictions, make sure you add an exception for the following IP address:
3.- Enable collection of client-side performance dataOptionally, to enable the collection of client-side performance data, enable the ServiceNow Client Transactions Timings plugin. For detailed instructions on how to do this, check the ServiceNow documentation article. If this plugin is not active, the client-side performance widgets in the Performance Dashboard will not be populated.
ServiceNow tables accessed by Quality Clouds
Following is the list of all tables accessed by Quality Clouds for each ServiceNow instance:
* The only fields accessed on sys_user table are: userid, active. No personal information is accessed.
** Access to the user profile related tables has been removed from Quality Clouds.
4.- API Timeout setting
Under some circumstances the API REST timeout setting of the ServiceNow instance may prevent Quality Clouds scans from retrieving specific data. This is specially true when accessing big tables, such as transaction logs. This situation can either prevent the scan from executing or be returned as a warning, depending on the type of data which could not be accessed.
To solve this issue you can increase the "REST table API request timeout" transaction quota rule. To make the change, enter sysrule_quota_list.do on the navigator text filed, and then modify the "maximum duration (seconds)" attribute. The default is 60 seconds. A value of 180 seconds should be enough for most instances to allow queries to complete, although bigger values may be needed in some cases. This value should then be reset to the default value after the scan has completed.