Breadcrumbs

S3 - Configure ServiceNow for CI Sync

Extended Page Title

Step 3 - Configure your ServiceNow to be ready for CI Sync

Task List

Task #

Task

Performed by

1

Configure the Batch API timeout

ServiceNow Admin

2

Configure the CMDB CI Software Package Name field for increased performance

ServiceNow Admin

3

Create a User Account (to be used by the CI Sync SaaS application)

ServiceNow Admin

4

Configure permissions on the new User Account

ServiceNow Admin

5

(Optional) Configure OAuth Authentication on the CI Sync User Account

ServiceNow Admin

6

(Optional) Consider applying additional changes to ServiceNow to support the specific requirements of source systems

ServiceNow Admin

Task 1: Configure the Batch API timeout

  1. Navigate to your ServiceNow at this URL:
    https://YourInstance.service-now.com/sysrule_quota_list.do?sysparm_query=nameLIKEbatch

  2. From the list, locate the entry where the Name is “Rest Batch API request timeout”

  3. Change the “Maximum Duration (seconds)” to 60, then click Update

CleanShot 2025-06-19 at 07.09.39@2x-20250618-210955.png

Task 2: Configure the CMDB CI Software Package Name field for increased performance

This task only applies to customers syncing Installed Software records in the CMDB (i.e. into the cmdb_ci_spkg table).

If you are not sync’ing Installed Software records there is no need to perform this task.


Click to expand a Context Note (about why this task may be beneficial to customers sync'ing Installed Software)

The standard configuration of the “Software” (table: cmdb_ci_spkg) table has the “Package name” (field: package_name) field set as the Display field for the table.

The Package name field is a calculated field which results in the table API performing additional redundant lookups.

Unchecking the Display property will improve synchronization performance by approximately ten (10) times (i.e. Installed Software will sync around 10x faster thanks to this setting).

There are two options for completing the configuration of your ServiceNow instance. 

Option

Summary and Link to Detailed Instructions

Option 1 – Automated Steps using Update Set

Option 2 – Manual Steps using ServiceNow UI Steps

Each of the above options achieves the same end-result.  That is, each option applies the following changes:

  • Updates the dictionary record to display=False on the table “cmdb_ci_spkg” for column “package_name”

  • Add the “Package name” field to the “List Layout” on each of the following CI Class default views:

    • AIX Server

    • Computer

    • ESX Server

    • HPUX Server

    • Hyper-V Server

    • Linux Server

    • Netware Server

    • OS/X Server

    • Solaris Server

    • UNIX Server

    • Windows Server

Task 2 (Option 1): Automated Steps using Update Set

Expand the instructions below to use a ServiceNow Updateset (provided by Syncfish) to update the dictionary value on the various CI classes.

Click to expand the instructions for Option 1

Informational Note (about what the updateset updates)

The update set includes two types of update as follows.

  1. It updates to the Dictionary on the table “cmdb_ci_spkg”.

  2. It adds the “Package name” field to the default “List Layout” on a few CI Classes

These two updates are shown in the screen below.

image-20250328-000103.png

When you preview the update set you may see preview errors if the above List Layouts have already been modified in your ServiceNow instance.  If you receive preview errors and use the instructions further below to decide how best to proceed.  If in doubt contact Syncfish for assistance.

  1. Download the update set from Syncfish at the below URL:
    https://downloads.syncfish.app/servicenow/cisync-fix-software_instance-import-slowness.xml

  2. Open a browser and navigate to your ServiceNow instance

  3. In the left nav menu search for “Retrieved Update Sets” and click to open

  4. Right click on the column heading row and select “Import XML

CleanShot 2025-06-10 at 18.34.18@2x-20250610-083554.png

  1. Select “Choose File

  2. Select the downloaded file “cisync-fix-software_instance-import-slowness.xml

  3. Click to open the Update Set

image-20250328-000239.png

  1. Click “Preview Update Set

  2. If there are no preview errors, Click “Close” and proceed to Step 12 below to Commit the Update Set.

image-20250328-000309.png

  1. If there are preview errors, they are likely to be related to the List Layout update (as described in the Informational Note at the start of this task). Use the details below to diagnose and resolve the errors and if in doubt contact Syncfish for assistance.

  2. View the errors in the ‘Update Set Preview Problems’ shown below.

image-20250328-000327.png

Make sure all the errors are related to the UI List view updates and the error is not for the Dictionary update then you can Skip the remote update in the Available Actions list.

image-20250328-000343.png

  1. Click “Commit Update Set

  2. Proceed now to Task 3: Create a User Account (to be used by your CI Sync SaaS instance).

Task 2 (Option 2): Manual Steps using ServiceNow UI

Expand the instructions below if your ServiceNow Admin will manually update the dictionary value on the various CI classes.

Click to expand the instructions for Option 2

Guidance Note

Only perform the below steps if you didn’t use Option 1 above (i.e. didn’t use the Update Set option). 

If you have already used Option 1 (the automated method) then proceed now to Task 3: Create a User Account (to be used by your CI Sync SaaS instance).

  1. Navigate to the dictionary record for Table: cmdb_ci_spkg, Column name: package_name using the following URL:
    https://YourServiceNowInstance.service-now.com/sys_dictionary_list.do?sysparm_query=nameSTARTSWITHcmdb_ci_spkg%5EelementSTARTSWITHpackage_name

  2. In the list, click on the record called cmdb_ci_spkg to open it.

  3. Uncheck the Display checkbox.

CleanShot 2025-06-19 at 07.13.02@2x-20250618-211339.png

  1. Click Update.

  2. Next, you need to update the “Software InstalledRelated Lists column layout for a number of CMDB CI record types. 

  3. To begin with, execute the steps below to update the Windows Server – Default view (and then repeat these steps for the additional CI record types noted further below).

    1. Navigate to the list of “Windows Servers” in your CMDB and open a server record.

    2. Scroll down to the form to see the Related Lists (the set of tabs at the bottom of the form)

    3. Click “Software Installed

    4. Right click the column heading (e.g. Package Name) within the “Software Installed” Related List

    5. Select “Configure

    6. Select “List Layout

image-20250618-211437.png

  1. In the Available list select “Product Name”, select “Expand selected reference field” in the middle buttons between the “Available” list and “Select” list

image-20250328-001505.png

  1. Scroll down to find “Package name” under the “.Product Name --> Software Fields

    1. Select “Package name

    2. Select the “Add” button

image-20250328-001525.png

  1. Package name” should now be added to the “Selected” list on the right-hand side

    1. Click “Save”

image-20250328-001541.png

  1. Repeat the above steps by navigating to each of the following CMDB CI record types and amending each of their “Software Installed” Related List:

    1. AIX Server - Default view

    2. Computer - Default view

    3. ESX Server - Default view

    4. HPUX Server - Default view

    5. Hyper-V Server - Default view

    6. Linux Server - Default view

    7. Netware Server - Default view

    8. OS/X Server - Default view

    9. Solaris Server - Default view

    10. UNIX Server - Default view

  2. Proceed now to Task 3: Create a User Account (to be used by your CI Sync SaaS instance).

Task 3: Create a User Account (to be used by your CI Sync SaaS instance)

Create a ServiceNow user account. It is recommended that it be named accordingly so users can identify the records created/updated by the integration. e.g. “cisync.integration”.

  1. Log into ServiceNow as an Administrator

  2. Navigate to System Security → Users

CleanShot 2025-06-19 at 07.15.45@2x-20250618-211558.png

  1. Click New to start creating a new account for the CI Sync integration

CleanShot 2025-06-19 at 07.17.03@2x-20250618-211732.png


  1. Some key points when creating the account:

    1. Enter a User ID, First name and Last name that allow the CI Sync account to be easily identifiable in the future.

    2. The way you set the password will vary depending on your edition of ServiceNow. Make sure you know/capture the password as you’ll need it later on.

    3. Set the Language to English in all cases.
      Important: If you set Language to anything other than English it will cause issues when you start to run synchronization jobs.

    4. Set the Time zone to GMT

  2. Syncfish recommend tagging the account as a non-interactive account. The way you do this varies based the version and patch level of your ServiceNow. Here are some guidance notes

    1. The two ways to flag the account are:

      1. Either, tick the “Web service access only” checkbox (as shown in the screen shot below)

      2. Or, set the “Identify Type” as “Machine” (as shown in the screen shot directly below)

        CleanShot 2025-11-11 at 16.07.07@2x-20251111-060710.png

If you don’t see either of the above options:

  1. The field "web service access only" is controlled by the new field "Identity Type" for Yokohama Patch 6 and later. See this ServiceNow article: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2420837

  2. If you don’t see the “Web service access only” checkbox you may not be running the Non-Interactive Sessions plugin from ServiceNow. Discuss this topic as needed with your ServiceNow platform admin/technical owner to decide how best to configure the CI Sync integration account as a non-interactive account. The following article from ServiceNow may assist: https://www.servicenow.com/docs/bundle/zurich-platform-administration/page/administer/users-and-groups/concept/c_NonInteractiveSessions.htm

  1. Click Submit

Data Capture Note

Make sure you record Username/Password as they will be required when configuring the ServiceNow connection properties using the CI Sync Web UI during S4 - Add ServiceNow as a Destination for CI Sync later in these setup guides.

Task 4: Configure permissions on the new User Account

  1. Navigate to the cisync user account (e.g. “cisync.integration” or the account name you used in Task 3 above).

  2. Select the Roles tab and click the Edit… button

  3. Filter/Select the roles below and click the Save button

    1. asset

    2. cloud_admin

    3. model_manager

    4. personalize_choices

    5. snc_platform_rest_api_access

    6. tracked_file_reader

    7. user_admin


Depending on certain conditions, several additional roles may be required, Click here for further information

Some additional permissions may be required depending which source systems you intend to use with CI Sync. See the table below and add then add any additional roles accordingly.

Scenario

Additional permissions required by the CI Sync Integration User Account

If you intend to sync Tags from most cloud sources (Azure, AWS, GCP) an ACL update is needed.

The CI Sync Integration Account will need read/write on the cmdb_key_value table.

See Task 6 further below for more details.

If you intend to sync OT Assets from Lansweeper the CI Sync Integration user requires an additional role.

The CI Sync Integration Account will need the “cmdb_ot_editor” role.

See Task 6 further below for more details.

If you intend to create Application Service Mapping relationships from Lansweeper or Azure the CI Sync Integration user requires an additional role.

The CI Sync Integration Account will need the “app_service_admin” role.

See Task 6 further below for more details.

If you intend to sync CVE data from MS Defender for Endpoint an ACL update is needed.

The CI Sync Integration Account will need read/write on the alm_licence and alm_entitlements tables.

See Task 6 further below for more details.

For more information please read Task 6: (Optional) Consider applying additional changes to your ServiceNow to support specific requirements of source systems further below in this page.


  1. Click Save. Then use the “Roles” tab to check the above roles and the various inherited ones have been applied by comparing to screen shot below.

image-20250618-212100.png
Click to expand an Informational Note (about the permissions granted)

By granting these ServiceNow Out-of-the-Box (OOTB) Roles you are permitting the cisync user account, and therefore the CI Sync SaaS application access to your ServiceNow environment to the extent afforded by these roles.

It is probably these OOTB Roles grant CI Sync access to ServiceNow tables that are not needed or in-scope for CI Sync.  A good example is the sys_user table in ServiceNow.  The default CI Sync configuration rules do require the CI Sync SaaS application to access the sys_user, however the user_admin role grants such access (the user_admin role is needed for access to other reference tables (such as the core_company table) that stores manufacture reference data).

Syncfish recommend you review the ServiceNow system documentation (and system itself) to understand the permissions these roles provide to your CI Sync SaaS application. 

Syncfish provide further details on this topic in the document titled “CI Sync - Overview of Source and Destination Fine Grain Permission Option for Personal Data”.  The document also includes non-authoritative guidance on how to assess and potentially apply fine-grain permissions to further restrict CI Sync’s access within ServiceNow, in particular if your organization has concerns about Personal Data.

Task 5: (Optional) Configure OAuth Authentication on the CI Sync User Account

The CI Sync SaaS application supports the following authentication methods provided by the ServiceNow platform for API integrations:

  • Basic Auth

  • OAuth

Use the instructions below to configure OAuth Authentication if this is requried by your organisation.

You don’t need to use these OAuth instructions if you have decided to use Basic Auth.

Click to expand the instructions if using OAuth

Setting up the ServiceNow end of an OAuth endpoint is typically performed by a ServiceNow SME with specific knowledge of this functionality.

Also, different editions of ServiceNow may have different requirements for an OAuth endpoint.

The ServiceNow related instructions provided below are intended as a high level guide only, and are provided by Syncfish for general guidance.

If a Syncfish customer is unsure how to setup the ServiceNow elements for OAuth authentication for the incoming CI Sync connection, then we recommend the following:

  1. Read the ServiceNow documentation on this same topic. The ServiceNow documentation can be less than clear, so if in doubt, contact your ServiceNow SME with OAuth experience. For ServiceNow Zurich release here are two articles Syncfish recommend are read in the order below

    1. How to check/set a number of key settings/properties related to OAuth. See here: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/task/t_SettingUpOAuth.html

    2. How to Create an endpoint for clients to access the instance. See here: https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/task/t_CreateEndpointforExternalClients.html

  2. Or, reach out to the Syncfish team. We have ServiceNow experts and are happy to assist customers who are struggling with this topic.


Syncfish general steps/guidance to perform within your ServiceNow instance (please take tje above comments into account).

Step 1 - Make sure the OAuth plugin is activated

  1. Navigate to All > System Applications > All Available Applications > All.

  2. Find the plugin using the filter criteria and search bar.

    You can search for the plugin by its name or ID. If you cannot find a plugin, you might have to request it from ServiceNow personnel.

  3. If the plugin is not installed yet, Select Install to start the installation process.

Step 2 - Set the OAuth Property (if not already set)

  1. To use OAuth 2.0, enter sys_properties.list in the navigator and select New.

    You can also open the system properties list by navigating to All > System Properties > All Properties > .

  2. Filter for *oauth*

  3. Make sure com.snc.platform.security.oauth.is.active is set to true

Step 3 - Change OAuth password parameter (if not already set)

  1. Navigate to All > System Properties > All Properties >

  2. Filter for *oauth*

  3. Make sure glide.oauth.allow.parameters.in.post.body.only is set to true

Step 4 - Create an OAuth application endpoint for external client applications to access the ServiceNow instance (i.e. create an OAuth endpoint for CI Sync to target for authentication)

  1. Navigate to All > System OAuth > Application Registry and then click New.

  2. On the interceptor page, click Create an OAuth API endpoint for external clients.

  3. Complete the fields on this form using the screen shot below and the following points for guidance

    1. Name: Use a meaningful/recognisable name relative to the endpoint being for CI Sync.

    2. Client Secret: Enter a complex secret or allow ServiceNow to generate one on save.

    3. Redirect URL and Logo URL: No need to enter these.

    4. Public Client: No need to tick this.

    5. Client Type: Integration as a service.

    6. Application: Global scope.

    7. Accessible from: All application scopes (or as otherwise directed by your ServiceNow SME).

    8. Active: Tick.

    9. Other settings: Leave as default (or as otherwise directed by your ServiceNow SME).

CleanShot 2025-11-15 at 17.28.46@2x-20251115-072905.png

Note: This form may differ between versions of ServiceNow.


Once the OAuth setup is completed, open the application registry record created and copy the Client ID and Secret to setup the connection in the CI Sync SaaS application User Interface

Guidance Note

Click the Client Secret padlock to view/copy the secret.

Data Capture Note

Take note of the Client Id and Client Secret as they will be required when configuring the ServiceNow connection within the CI Sync SaaS application (via the CI Sync User Interface) when performing the tasks in S7 - Add your ServiceNow Instance as a Destination for CI Sync.

Task 6: (Optional) Consider applying additional changes to ServiceNow to support the specific requirements of source systems

Informational Note

The tasks in this section are optional depending on which source systems you intend to use with CI Sync.

Click to expand the detailed instructions in this section relative to the source systems you may be using with CI Sync.

CMDB CI Class Models plug-in

These instructions are relevant to the following source systems

  • Lansweeper OT (from Lansweeper Cloud)

  • Azure

  • AWS

  • GCP

Click for context and task instructions

Context

Several data sources used by CI Sync include record sets that rely on CI Classes only available via the CMDB CI Class Models plug-in. 

If you plan to synchronize any of the following data sources and recordsets you will need to add the CMDB CI Class Models plug-in to your ServiceNow instance.

If you already have the plug-in you may want to upgrade it to the latest version (as ServiceNow occasionally update the plug-in to include extra CI Classes/tables).

Source System

Specific Record Sets that require the CMDB CI Class Models plug-in

Lansweeper

  • IP Cameras

Lansweeper OT
(from Lansweeper Cloud)

  • OT PLC

  • OT Field Device

  • OT Human Machine Interface

  • OT Industrial Device

  • OT Industrial Sensor

  • OT Module

  • OT OPC Server

Azure

  • Many/most Azure resources supported by CI Sync.

  • Synchronizing of Azure Tags into the cmdb_key_value table.

AWS

  • Many/most AWS resources supported by CI Sync.

  • Synchronizing of AWS Tags into the cmdb_key_value table.

GCP

  • Many/most GCP resources supported by CI Sync.

  • Synchronizing of GCP Labels into the cmdb_key_value table.

Task Steps

Follow these steps to add this plug-in (and similar steps to locate it and upgrade it if required)

  1. Assess the use/inclusion of this plug-in within your ServiceNow (ensure you are comfortable installing this plug-in).

  2. Search for Plugins via the ServiceNow navigation menu.

  3. Locate the CMDB CI Class Models plug-in.

  4. Click Add -> Install and follow the instructions provided.

image-20250328-005325.png

Add permissions for CI Sync to write to the cmdb_key_value table to support Cloud Tags

These instructions are relevant to the following source systems

  • AWS (for synchronizing AWS Tags to ServiceNow)

  • Azure (for synchronizing Azure Tags to ServiceNow)

  • GCP (for synchronizing GCP Labels to ServiceNow)

Click for context and task instructions

Context

CI Sync writes Tags (or GCP Labels) to the cmdb_key_value table in ServiceNow.

The standard/out-of-the-box roles provided by ServiceNow (and recommended by Syncfish earlier in this page) do not provide access to the cmdb_key_value table. Therefore, the CI Sync Integration User account created above requires additional permissions to write to the cmdb_key_value table.

Syncfish provides a ServiceNow updateset to prepare your ServiceNow instance for CI Sync. The updateset does the following:

  • Creates a read/write ACL on the cmdb_key_value table.

  • Applies the ACL on the cmdb_key_value table and assigns the ACL to the ServiceNow role called “Asset” (which is one of the roles granted to the CI Sync Integration Account created above).

Task Steps

Follow these steps to apply the updateset provided by Syncfish:

  1. Download the update set from Syncfish at the below URL:
    https://downloads.syncfish.app/servicenow/cisync-cmdb-key-value.xml

  2. Login to your ServiceNow instance with Admin permissions.

  3. Open a browser and navigate to your ServiceNow instance

  4. In the left nav menu search for “Retrieved Update Sets” and click to open

  5. Right click on the column heading row and select “Import XML

CleanShot 2025-06-10 at 18.34.18@2x-20250610-083554.png

  1. Select “Choose File

  2. Select the downloaded file “cisync-cmdb-key-value.xml

  3. Click to open the Update Set

CleanShot 2025-08-04 at 18.45.24@2x-20250804-084545.png

  1. Click “Preview Update Set

  2. If there are no preview errors, Click “Close”.

  3. Click “Commit Update Set”.

  4. Your ServiceNow instance is now ready to receive Azure Tag data from Azure via sync jobs from CI Sync.

Add custom tables and grant permissions for CI Sync to write CVE data to ServiceNow for MS Defender for Endpoint

These instructions are relevant to the following source systems

  • MS Defender for Endpoint (for synchronizing CVE data to ServiceNow)

Click for context and task instructions

Context

CI Sync synchronizes IT assets including their installed software with known CVEs from Defender for Endpoint.

CI Sync relies upon two custom tables in ServiceNow.

  • One table is used to store the CVE records.

  • A second table stores the link between CIs and the CVEs.

Syncfish provides a ServiceNow updateset to prepare your ServiceNow instance for CI Sync. The updateset does the following:

  • Creates the custom tables mentioned above.

  • Applies the ACL on the custom tables and assigns the ACL to the ServiceNow role called “Asset” (which is one of the roles granted to the CI Sync Integration Account created earlier in this page).

Task Steps

Follow these steps to apply the updateset provided by Syncfish:

  1. Download the update set from Syncfish at the below URL: https://downloads.syncfish.app/servicenow/cisync-cmdb-vulnerabilities.xml

  2. Login to your ServiceNow instance with Admin permissions.

  3. Open a browser and navigate to your ServiceNow instance

  4. In the left nav menu search for “Retrieved Update Sets” and click to open

  5. Right click on the column heading row and select “Import XML

CleanShot 2025-06-10 at 18.34.18@2x-20250610-083554.png

  1. Select “Choose File

  2. Select the downloaded file “cisync-cmdb-vulnerabilities.xml

  3. Click to open the Update Set

Unknown Attachment

  1. Click “Preview Update Set

  2. If there are no preview errors, Click “Close”.

  3. Click “Commit Update Set”.

  4. Your ServiceNow instance is now ready to receive CVE data from MS Defender for Endpoint via sync jobs from CI Sync.

Add permissions for CI Sync to create Application Service Mapping relationships in ServiceNow

These instructions are relevant to the following source systems

  • Lansweeper Cloud

  • Azure

Click for context and task instructions

Context

CI Sync needs additional permissions to create/update Application Service relationships in ServiceNow.

The ServiceNow out-of-the-box role described below provides the required permissions and therefore this role needs to be applied to your CI Sync Integration User if you intended to use CI Sync’s Application Service Mapping feature.

Please contact Syncfish if a custom role is preferred over this out-of-the-box role.

Task Steps

  1. Navigate to the cisync user account (e.g. “cisync.integration” or the name you used earlier in this page).

  2. Select the Roles tab and click the Edit… button

  3. Filter/Select the roles below and click the Save button

    1. app_service_admin

  4. Click Save. Then use the “Roles” tab to check the above role has been applied.

Add permissions for CI Sync to create and update OT CIs in ServiceNow

These instructions are relevant to the following source systems

  • Lansweeper Cloud

Click for context and task instructions

Context

CI Sync needs additional permissions to create/update OT CIs in the ServiceNow CMDB.

The ServiceNow out-of-the-box role described below provides the required permissions and therefore this role needs to be applied to your CI Sync Integration User if you intended to sync OT Assets into the CMDB.

Please contact Syncfish if a custom role is preferred over this out-of-the-box role.

Task Steps

  1. Navigate to the cisync user account (e.g. “cisync.integration” or the name you used earlier in this page)

  2. Select the Roles tab and click the Edit… button

  3. Filter/Select the roles below and click the Save button

    1. cmdb_ot_editor

  4. Click Save. Then use the “Roles” tab to check the above role has been applied.