Configure BeyondTrust PRA for the ServiceNow Integration


You must purchase this integration separately from both your BeyondTrust Privileged Remote Access and Privileged Identity solutions. For more information, contact BeyondTrust sales.

All of the steps in this section take place in the BeyondTrust /login administrative interface. Access your BeyondTrust interface by going to the hostname of your BeyondTrust Appliance followed by /login (e.g.,

Verify that the API is enabled

Enable XML API

The BeyondTrust Integration requires the BeyondTrust XML API to be enabled. This feature is used from within the integrating software to communicate with the BeyondTrust APIs.

Go to /login > Management > API Configuration and verify that Enable XML API is checked.

Create a ServiceNow API Account

The ServiceNow API account is used from within ServiceNow to make BeyondTrust Command API calls to BeyondTrust.

API :: Account :: Add

  1. Go to /login > Management > API Configuration.
  2. Click Create New API Account and name it ServiceNow or something similar.
  3. Set Command API to Full Access.
  4. Under Reporting API, check Allow Access to Access Session Reports and Recordings.
  5. The OAuth Client ID and OAuth Client Secret are used during the OAuth configuration step in ServiceNow. Make note of these and store them in a secure location.
  6. Click Save Changes.


Add outbound events

Outbound Events

Outbound events are used to notify ServiceNow that a BeyondTrust Session has finished and is ready to be imported into ServiceNow.

  1. Go to /login > Management > Outbound Events.
  2. Click Add New HTTP Recipient and name it ServiceNow Integration or something similar, depending on your ServiceNow instance.
  1. Set the URL to pa_bomgar_ where is the ServiceNow instance name.
  2. If using the an outbound event token for added security, append outbound_event_token=YOUR-TOKEN to the end of the URL, so that the entire URL resembles pam_bomgar_ You must also store this token with the BeyondTrust Appliance record in ServiceNow.
  3. Scroll to Events to Send and check Access Session End.
  4. Scroll to the bottom and click Add Recipient.


Create custom fields

API :: Custom Fields

BeyondTrust custom fields are used to map ServiceNow Tasks (incidents, change requests, problem records, and service catalog requests) and Configuration Items to BeyondTrust access sessions.

  1. Browse to Management > API Configuration.
  2. Under API :: Custom Fields, click Create New Field.
  3. Enter the following values:
    1. Display Name - ServiceNow Task ID
    2. Code Name - snow_task_id
    3. Show in Rep Console - checked
  4. Click Add Custom Field to save the new field.
  5. Repeat the steps above for the following custom field values:
    1. Display Name - ServiceNow Configuration Item ID
    2. Code Name - snow_cmdb_ci_id
    3. Show in Rep Console - checked

Set up the custom link

Custom Links :: Add

BeyondTrust custom links can be configured to allow users to quickly access the ServiceNow Incident that is associated with the session.

  1. Browse to Access Console > Custom Links.
  2. Under Access Console :: Custom Links, click Create New Custom Link.
  3. Enter a name for the link, and then set the URL to where is the ServiceNow instance name. If needed, you can use any of the available macros to customize the link according to your specifications.
  4. Click Add Custom Link to save the new link.

Set up change management workflow

BeyondTrust change management workflow can be configured to require approval through an ITSM system before allowing access to BeyondTrust Jump Clients.

Jump Policies :: Ticket System section in /login where you can configure change management workflow for ServiceNow.

  1. Browse to Jump > Jump Policies.
  2. Under Jump Policies :: Ticket System, enter an appropriate Ticket System URL similar to pam_bomgar_
  3. Upload the CA certificate from the ServiceNow instance.
  4. Enter the desired User Prompt.
  5. Click Save.

Jump Policies

  1. Next, under the Jump Policies section, click the Add New Jump Policy button or click the Edit link next to an existing Jump Policy.


Jump Policies - Require a ticket ID before a session starts

  1. Under the Jump Approval area, check the box labeled Require a ticket ID before a session starts.