Configure BeyondTrust PRA for the ServiceNow Integration

 

You must purchase this integration separately from both your BeyondTrust Privileged Remote Access and Privileged Identity solutions. For more information, contact BeyondTrust sales.

All of the steps in this section take place in the BeyondTrust /login administrative interface. Access your BeyondTrust interface by going to the hostname of your Secure Remote Access Appliance followed by /login, for example: https://access.example.com/login.

Verify the API is Enabled

Management > API Configuration > Enable XML API

The BeyondTrust Integration requires the BeyondTrust XML API to be enabled. This feature is used from within the integrating software to communicate with the BeyondTrust APIs.

Go to /login > Management > API Configuration and verify that Enable XML API is checked.

Create an API Service Account - BeyondTrust PRA 19.2

Create a new API account in /login

  1. Go to /login > Management > API Configuration.
  2. Click Add.

 

Add an API Account

  1. Check Enabled.
  2. Enter a name for the account.
  3. Under Permissions, check Allow Access for Endpoint Credential Manager API.
  4. Set Command API to Full Access.
  5. Under Reporting API, check Allow Access to Access Session Reports and Recordings.
  1. Copy the OAuth Client ID and OAuth Client Secret and store them in a secure location for use in a later step.
  2. Click Save to create the account.

 

Create an API Service Account - BeyondTrust PRA 17.1 - 19.1

  1. Go to /login > Management > API Configuration.

API:: Accounts

  1. Click Create New API Account.

 

API :: Account :: Edit

  1. Under Permissions, check Full Access to the Command API.
  2. For the Reporting API, check Allow Access to Access Session Reports and Recordings.
  3. Copy the OAuth Client ID and OAuth Client Secret and store them in a secure location for use in a later step.
  4. Click Add API Account to create the account.

 

Add Outbound Events

Outbound events are used to notify ServiceNow that a BeyondTrust Session has finished and is ready to be imported into ServiceNow.

Outbound Events - Add HTTP Recipient for ServiceNow Integration

  1. Go to /login > Management > Outbound Events.
  2. Click Add and name it ServiceNow Integration or something similar, depending on your ServiceNow instance.
  1. Set the URL to https://access.example.com/x_bmgr_bomgar_ pa_bomgar_ post.do where support.example.com is the ServiceNow instance name.
  2. If using the an outbound event token for added security, append outbound_event_token=YOUR-TOKEN to the end of the URL, so that the entire URL resembles https://support.example.com/x_bmgr_bomgar_ pam_bomgar_ post.do?outbound_event_token=YOUR-TOKEN. You must also store this token with the Secure Remote Access Appliance record in ServiceNow.
  3. For Events to Send, check Access Session End.
  4. Click Save.

Create Custom Fields

BeyondTrust custom fields are used to map ServiceNow Tasks (incidents, change requests, problem records, and service catalog requests) and Configuration Items to BeyondTrust access sessions.

Configuration > Custom Fields > Add

  1. Go to Configuration > Custom Fields.
  2. Click Add.
  3. Enter the following values:
    1. Display Name: ServiceNow Task ID
    2. Code Name: snow_task_id
    3. Show in Access Console: checked
  4. Click Save to save the new field.
  5. Repeat the steps above for the following custom field values:
    1. Display Name: ServiceNow Configuration Item ID
    2. Code Name: snow_cmdb_ci_id
    3. Show in Access Console: checked

Set Up the Custom Link

BeyondTrust custom links can be configured to allow users to quickly access the ServiceNow Incident that is associated with the session.

Add a Custom Link

  1. Go to Access Console > Custom Links.
  2. Click Add.
  3. Enter a name for the link, and then set the URL to https://access.example.com/nav_to.do?uri=task.do?sys_id=%SESSION.CUSTOM.EXTERNAL_KEY% where access.example.com is the ServiceNow instance name. If needed, you can use any of the available macros to customize the link according to your specifications.
  4. Click Save to save the new link.

Set Up Change Management Workflow

BeyondTrust change management workflow can be configured to require approval through an ITSM system before allowing access to BeyondTrust Jump Clients.

Jump Policies - Ticket System section in /login where you can configure change management workflow for ServiceNow.

  1. Go to Jump > Jump Policies.
  2. Under Ticket System, enter an appropriate Ticket System URL similar to https://example.service-now.com/x_bmgr_bomgar_ pam_bomgar_ endpoint_approval.do.
  3. Upload the CA certificate from the ServiceNow instance.
  4. Enter the desired User Prompt.
  5. Click Save.
  6.  

Jump Policies

  1. Next, under the Jump Policies section, click the Add button or click the Edit link next to an existing Jump Policy.

 

Jump Policies - Jump Approval - Require a Ticket ID

  1. Under the Jump Approval section, check Require a ticket ID before a session starts.