Configure ServiceNow for Integration with BeyondTrust PRA

 

You must purchase this integration separately from your BeyondTrust Privileged Remote Access solution. For more information, contact BeyondTrust sales.

Unless otherwise noted, all of the steps in this section take place in the ServiceNow interface. The development and/or test instances of ServiceNow should be used initially so that the integration can be thoroughly tested before installation in the production instance.

Install BeyondTrust Integration

Customers have two options for installing the BeyondTrust ServiceNow Integration. The first option involves importing the BeyondTrust ServiceNow Integration Update Set. The second option involves requesting the BeyondTrust ServiceNow Integration from the ServiceNow Store.

Install Using Update Set

Update Set Retrieved

  1. Log into ServiceNow with an administrative user account and select System Update Sets > Retrieved Update Sets.
  2. Click Import Update Set from XML at the bottom of the page. In some instances, it may be necessary to right-click the header column of the update sets table and select Import Update Set from XML from the resulting menu.
  3. Click Browse, locate the update set XML file, and click Upload. BeyondTrust Technical Support normally sends the necessary update set XML file via email after the ServiceNow integration has been purchased through BeyondTrust's Sales team. If you have not yet received a copy, please contact BeyondTrust Technical Support.
  1. Find the update set you just imported in the list of retrieved update sets and click it. The name should be similar to BeyondTrust PRA Integration 1.0.11 Full, and its Loaded date should be the most recent in the list.
  2. Click Preview Update Set to check for errors. Look through each update set.
  3. If the preview is satisfactory, return to the main page of the update set and click Commit Update Set.

Due to some limitations in the ServiceNow platform, you might get some errors while previewing the Update Set. Please ignore all errors that have the description "Could not find a record in sys_rest_message_fn for column rest_message_function referenced in this update".

Install via App Store

ServiceNow Certified Apps - BeyondTrust PRA Integration

Please see ServiceNow's FAQ regarding app installation via the ServiceNow App Store.

 

Create Local Update Set

Local Update Set

Local update sets are used in ServiceNow to capture configuration changes. They can be used to quickly transfer these configuration changes to other environments.

  1. Select System Update Sets > Local Update Sets, and click the New button above the list of update sets to create a new local update set.
  2. In the Name field, enter BeyondTrust - ServiceNow Integration Configuration (or an equivalent).
  3. Click Submit and Make Current. This update set will capture any changes you make during the configuration process. Just make sure that the BeyondTrust - ServiceNow Integration Configuration update set is selected in ServiceNow's update set dropdown for the following steps.
  1. Make sure the Application is set to BeyondTrust PRA Integration. If it is not, use the settings cog in the upper right of the screen to switch to the aforementioned scope.
  2. After configuration is complete and tested, the local update set can be imported or promoted to new instances of ServiceNow (e.g., the production instance) to quickly replicate the integration. This must be done after transferring the BeyondTrust - ServiceNow retrieved update set.

For more information on transferring update sets, please see Transfer the BeyondTrust PRA-ServiceNow Integration Update Sets.

Update BeyondTrust PRA Session Event Types

Event Types are used to control which BeyondTrust events are processed with a BeyondTrust Session import. This step updates the database with all the available event types.

Update Event Types

  1. Select BeyondTrust PRA > Update Event Types.
  2. This loads all the available BeyondTrust Session Event Types into the database, so that unwanted events can be filtered out in a subsequent step when setting up your B Series Appliances.

 

Set Up B Series Appliance

B Series Appliances are set up in ServiceNow to connect ServiceNow with a B Series Appliance.

B Series Appliance Setup

  1. Select BeyondTrust PRA > Appliances.
  2.  

  1. Click New to add a new BeyondTrust Appliance B Series and enter the following values:
    • Name: Must be Default.
    • Hostname: Hostname of the BeyondTrust Appliance B Series.
    • OAuth Client ID/ OAuth Client Secret: the OAuth client id and Client Secret that are used to authenticate to B Series Appliance. This is obtained in a previous step, Create a ServiceNow OAuth API Account.
    • Outbound Event Token: The token that is used as an added security measure to confirm outbound events are coming from the B Series Appliance that is sending the same token. If left blank, this outbound event token process is ignored. However, if a value is provided, the same value must be sent from all outbound events coming from BeyondTrust as a parameter named outbound_event_token.
    • Integration Enabled: Turns the integration on and off.
    • Import External Sessions: If checked, session reports for sessions that are started external to ServiceNow are imported into ServiceNow.
    • Accepted IP Addresses: A comma-separated list of IP addresses from which this integration accepts outbound events.
    • Auto Associate With User: If checked, when the session report is imported, the integration attempts to associate a ServiceNow User with the session. The lookup is based on the session's primary user's username.
    • Auto Associate With Config Item: If checked, when the session report is imported, the integration attempts to associate a ServiceNow Config Item with the session.
    • Events to Import: A list of BeyondTrust session events to process when importing a BeyondTrust session.

You will not be able to configure this setting until after the B Series Appliance has been saved.

Configure Events to Import

Event Types are used to control which BeyondTrust events are processed with a BeyondTrust session import. This step defines which events are processed for each BeyondTrust session import.

Event Type Setup

Event Type Setup

Event Type Setup

  1. Select BeyondTrust PRA > Appliances.
  2. Click the name of your B Series Appliance.
  1. Click the Edit Events to Import button (the lock icon).
  2. Click the Add/Remove multiple button (the group of people icon) located on the right side of the field.
  3. Select the events you want from the Collection field on the left and use the arrows to move the events to the List field on the right.

You can use CTRL+A to select all events.

  1. Click the Save button when you are finished.

 

Configure Journal Entry Table

Application Access

The Journal Entry table (sys_journal_field), used to log system information, must be set to allow other scopes to insert records.

  1. Browse to System Definition > Tables, then search by Label for Journal Entry.
  2. Click on the link titled Journal Entry. Edit the record in Global scope, if prompted to do so.
  3. Click the Application Access tab. Ensure that the Accessible From field is set to All application scopes and Can create is checked.

 

Configure BeyondTrust Session Related Lists

Task Related List

Related lists are used to provide a list of BeyondTrust Sessions that are associated with a Task (incident, change request, or service catalog request), Call Record, or Configuration Item.

Task Configuration

  1. Select Incident.
  2. Click Open to see a list of open incidents.
  3. Select an incident by clicking the Incident Number.
  4. Right-click the Incident title bar and select Configure > Related Lists.
  1. Ensure that Access Session > Task has been moved to the Selected column.
  2. Click the Save button.
  3. The BeyondTrust Sessions list should appear towards the bottom the incident form once these steps are complete.

CMDB Configuration

  1. Select Configuration > Servers.
  2. Click All to see a list of servers.
  3. Select a server by clicking the Name of a server.
  4. Right-click the Incident title bar and select Configure > Related Lists.
  1. Ensure that Access Session > Configuration Item has been moved to the Selected column.
  2. Click the Save button.
  3. The BeyondTrust Sessions list should appear towards the bottom the configuration item form once these steps are complete.

Configure Incident CMDB Jump Macros

BeyondTrust Jump technology can be used for unattended access to devices through the B Series Appliance.

Configure CMDB Dictionary

  1. Select Incident.
  2. Click Open to see a list of open incidents.
  3. Select an incident by clicking the Incident Number.
  4. Populate the Configuration Item field by clicking the magnifying glass icon, then selecting an item in the list.
  5. Once the Configuration Item is populated, click the Update button on the Incident title bar. This takes you back to the Incident list.
  6. Click the name of the incident you just updated.
  7. Right-click the Configuration Item Label and then click Configure Dictionary.
  8. Locate the Attributes field and take note of the part of the value that reads ref_contributions=task_show_ci_map;show_related_records.
  1. Add the Jump To value of x_bmgr_bomgar_pam_bomgar_pam_jump_to or x_bmgr_bomgar_pam_bomgar_pam_jump_to_webas a semicolon-separated item in ref_contributions (e.g., ref_contributions=x_bmgr_bomgar_pam_bomgar_pam_jump_to;task_show_ci;show_related_records).
  2. Click the Update button to save your changes.

Configure BeyondTrust Username and Authentication

Configure User Form

  1. Log into your BeyondTrust /login interface with the same credentials as a ServiceNow user who is expected to be using Privileged Remote Access.

 

  1. Download and install a BeyondTrust access console from the /login > My Account tab.
  • Make sure that BeyondTrust and ServiceNow are checking credentials against the same LDAP server(s), if appropriate. Check the LDAP server in the BeyondTrust interface under /login > Users & Security > Security Providers.

To check the LDAP server for ServiceNow, please see the LDAP Integration Setup article at docs.servicenow.com/bundle/jakarta-platform-administration/page/integrate/ldap/concept/c_LDAPIntegrationSetup.html.

  • If LDAP authentication is not being used, log into ServiceNow. Select User Administration > Users, and then select the user to be used for testing, and focus on the BeyondTrust Username field.
  • If this field does not exist while viewing a user, hover over the icon next to User on the title bar, and then select Configure > Form Layout, and move the BeyondTrust Username field from the Available list to the Selected list. Once done, enter the name of a known-working BeyondTrust user account in this field and save.

Assign Users Appropriate Roles

ITIL users who provide technical support using this integration should be given the x_bmgr_bomgar_ pam.user role.

You must elevate the admin's role in order to make the following change.

Elevate Roles

  1. Select User Administration > Users.
  2. Select a user.
  3. Find the Roles tab and click the Edit button.

 

Edit User

  1. Add the x_bmgr_bomgar_ pam.user role from the Collection list to the Roles list
  2. Click Save.

 

ServiceNow MID Server Option

List of MID Servers

 

While most customers will not use a MID server, some may. It is possible to avoid direct connection between ServiceNow and BeyondTrust by using a MID server for internal BeyondTrust deployments.

 

MID Server Details

For more information on MID servers, please see docs.servicenow.com/bundle/jakarta-servicenow-platform/page/product/mid-server/concept/c_MIDServerConfiguration.html.

 

Set Up Change Management Workflow

Override Change Management

 

BeyondTrust change management workflow works out of the box with a default Servicenow configuration. It can be customized if necessary.

The Default Approval Processing list includes the checks that are made when a ticket approval request is processed in ServiceNow.

  1. Find the Ticket (aka Task): Searches for the task based on task number. If not found by number, searches by task sys_id. If the task is not found, a failure response is sent back to BeyondTrust.
  2. Match the Rep: Checks to make sure the rep username matches the task assigned_to field user's user_name (User Id) or BeyondTrust PRA username field. If the reps do not match, a failure response is sent back to BeyondTrust.
  3. Match the Computer Name: Ensures the task's cmdb_ci name matches the computer name being Jumped to in BeyondTrust. If the computer names do not match, a failure response is sent back to BeyondTrust.
  4. Ensure Task Approval: Ensures the task's approval field is approved. If the task is not approved, a failure response is sent back to BeyondTrust.
  5. Ensure Field State: Ensures the task's state field is not closed, cancelled, or resolved (value is less than 3). If the state is not less than 3, a failure response is sent back to BeyondTrust.

Privileged Remote Access Change Management Override provides an administrator a way to customize the Approval Process without the burden of manual coding.

Change Management Override Details
Change Management Override Details

  1. Go to the Appliance screen and check the Override Change Management option.
  2. Click on the New button next to the Change Management Overrides Table.
  3. The goal of this record is to compare a Task field value with data provided by the B Series Appliance or a value defined by the user. Here is brief description of all the information:
    1. Task Field Name: This is the name of the Field inside the ServiceNow Task Table. A comprehensive list of the important Task table fields can be found at https://docs.servicenow.com/bundle/london-platform-administration/page/administer/task-table/reference/r_ImportantTaskTableFields.html.
    2. Comparator: The kind of evaluation performed. It can be an Equal, Lesser than or Greater than comparison.
    3. Type of Field: If the Static option is selected, whatever value entered by the user in the Field Value will be used. On the other hand, if the Reference option is marked, the value selected in the Bomgar Field dropdown will be selected.
    4. Field Value: A hard-coded value entered by the user.
    5. Bomgar Field : A list of all the information sent by the B Series Appliance that the user can select.
    6. Error Message: In case that the comparison between the ServiceNow Task Field Value and the Field value, or Bomgar Field selected by the user is negative, the Error Message value is returned to the B Series Appliance along with a deny access to the Jump. There are 3 reserved words that can be used inside the Error Message that leverage the outcome result:
      1. %TaskFieldName%: The actual value returned by ServiceNow of the Task Field Name chosen.
      2. %ComparatorSymbol%: The symbol related to the option selected in the Comparator. Possible results are >, =, or <.
      3. %FieldValue%: The value used in the conditional logic, regardless of the option selected.

Examples

In this screen shot there are two examples depicting a Static and a Reference comparison. The first record will compare the state value of a Task and check if it is lesser than 3.(Status Closed)

The second record will compare the name of the configuration item of a Task and check if it is equal to the computer name of the Jump item.

All records must be satisfied in order to allow access to the Jump.