Configure BeyondTrust PRA for the ServiceNow Integration
You must purchase this integration separately from both your BeyondTrust Privileged Remote Access and Privileged Identity solutions. For more information, contact BeyondTrust sales.
All of the steps in this section take place in the BeyondTrust /login administrative interface. Access your BeyondTrust interface by going to the hostname of your BeyondTrust Appliance followed by /login (e.g., https://access.example.com/login).
Verify that the API is enabled
The BeyondTrust Integration requires the BeyondTrust XML API to be enabled. This feature is used from within the integrating software to communicate with the BeyondTrust APIs.
Go to /login > Management > API Configuration and verify that Enable XML API is checked.
The ServiceNow API account is used from within ServiceNow to make BeyondTrust Command API calls to BeyondTrust.
- Go to /login > Management > API Configuration.
- Click Create New API Account and name it ServiceNow or something similar.
- Set Command API to Full Access.
- Under Reporting API, check Allow Access to Access Session Reports and Recordings.
- The OAuth Client ID and OAuth Client Secret are used during the OAuth configuration step in ServiceNow. Make note of these and store them in a secure location.
- Click Save Changes.
Add outbound events
Outbound events are used to notify ServiceNow that a BeyondTrust Session has finished and is ready to be imported into ServiceNow.
- Go to /login > Management > Outbound Events.
- Click Add New HTTP Recipient and name it ServiceNow Integration or something similar, depending on your ServiceNow instance.
- Set the URL to
https://access.example.com/x_bmgr_bomgar_ pa_bomgar_ post.dowhere
support.example.comis the ServiceNow instance name.
- If using the an outbound event token for added security, append
outbound_event_token=YOUR-TOKENto the end of the URL, so that the entire URL resembles
https://support.example.com/x_bmgr_bomgar_ pam_bomgar_ post.do?outbound_event_token=YOUR-TOKEN. You must also store this token with the BeyondTrust Appliance record in ServiceNow.
- Scroll to Events to Send and check Access Session End.
- Scroll to the bottom and click Add Recipient.
Create custom fields
BeyondTrust custom fields are used to map ServiceNow Tasks (incidents, change requests, problem records, and service catalog requests) and Configuration Items to BeyondTrust access sessions.
- Browse to Management > API Configuration.
- Under API :: Custom Fields, click Create New Field.
- Enter the following values:
- Display Name - ServiceNow Task ID
- Code Name - snow_task_id
- Show in Rep Console - checked
- Click Add Custom Field to save the new field.
- Repeat the steps above for the following custom field values:
- Display Name - ServiceNow Configuration Item ID
- Code Name - snow_cmdb_ci_id
- Show in Rep Console - checked
Set up the custom link
BeyondTrust custom links can be configured to allow users to quickly access the ServiceNow Incident that is associated with the session.
- Browse to Access Console > Custom Links.
- Under Access Console :: Custom Links, click Create New Custom Link.
- Enter a name for the link, and then set the URL to
access.example.comis the ServiceNow instance name. If needed, you can use any of the available macros to customize the link according to your specifications.
- Click Add Custom Link to save the new link.
Set up change management workflow
BeyondTrust change management workflow can be configured to require approval through an ITSM system before allowing access to BeyondTrust Jump Clients.
- Browse to Jump > Jump Policies.
- Under Jump Policies :: Ticket System, enter an appropriate Ticket System URL similar to
https://example.service-now.com/x_bmgr_bomgar_ pam_bomgar_ endpoint_approval.do.
- Upload the CA certificate from the ServiceNow instance.
- Enter the desired User Prompt.
- Click Save.
- Next, under the Jump Policies section, click the Add New Jump Policy button or click the Edit link next to an existing Jump Policy.
- Under the Jump Approval area, check the box labeled Require a ticket ID before a session starts.