Bridging the Gap Between Service Management & Access Requests
When working with customers who have existing ITSM utilities such as ServiceNow in place, I consistently hear the same thing from the ITSM business owners and teams:
“Our tool is the main portal for getting information, submitting requests, and approving requests across the enterprise”.
In the same organization, the Security and Application Access groups want to enable end-to-end automation and self-service access for their applications using their Oracle Identity Manager (OIM) investments, but typically are using manual processes for copying approved requests in the ITSM platform into OIM to complete the requests. This makes it difficult since OIM does a great job of managing access requests, approvals, and provisioning of those requests automatically. So, OIM administrators are not utilizing the full functionality and features of the platform.
When they do use the platforms independently for submitting and approving requests, there is a breakdown between the two platforms causing user and task owner confusion around:
a. How does a user get updates / review the status of an access request (OIM) vs. a ServiceRequest (ITSM)?
b. When does a task owner need to approve in ITSM vs the access request platform (OIM)?
c. When there are ITSM requests that have access requirements built in, who owns this and how do these get completed in a timely manner?
With the above, this leads to more incidents and questions being raised and assigned the individual teams, lowers the overall customer (user) experience in the investments they have made, and increases the costs and time to complete requests in the environment.
To address this issue, we worked with a customer to build an integration framework between ServiceNow and OIM. This integration takes the best of both platforms and typical usage scenarios and provides a consistent and improved user experience.
Beyond the out-of-the-box (OOTB) connector that is provided by Oracle for user provisioning (https://docs.oracle.com/cd/E22999_01/doc.111/e73592/toc.htm), this integration provides a means for syncing request and approval data between the platforms, provides data updates and links for users and task owners, and provides task submission from ServiceNow to OIM for automating access requests associated with ServiceNow orders. To take it one step further, our consultants integrated the platforms using Microsoft ADFS to provide SSO across the platforms to simulate everything being completed in the same session.
This was a critical win for our customer in that both teams (ITSM/ServiceNow and IT Security) could:
a. Maintain their current ownership and processes while providing multiple means and dashboards for users to know the status of requests and pending approvals.
b. Cut down on the number of tasks that needed to be completed between ServiceNow and OIM.
c. Improve their overall SLAs and time to complete access requests and provisioning tasks.
d. Reduce the number of tickets related to questions on the status of access requests, ownership, approvals, etc.
Below provides screenshots and information on the integration that was built and what can be done with OIM and ServiceNow when they work together (and not independently).
To begin, when logging into OIM 11gr2 PS3, the can go to the catalog and submit an access request for the intended role or application. For this demo, the user is submitting a request for a role.
Once submitted, the user is provided a request number for reference in the future and the request is submitted for approval based on the workflow rules for the organization.
On next login to the ServiceNow platform, an asynchronous login event is triggered to refresh the user’s access requests and any pending approvals. Additionally, if they do no login regularly, this data is refreshed on a timed basis (by default every 30 minutes). On the portal page for the user, ServiceNow Dashboards for OIM Access Requests provides the user a list of any open access requests as well as any pending access approvals.
When clicking on any of the pending access requests, the details of the request are provided and include request identification, request details, approval tasks, etc. (all the same information when viewing in OIM under Track Requests). Additionally, a link is provided to OIM so that the user can open the request in OIM to see approval flows, withdraw the request, or add additional comments as needed. With the ADFS SSO in place, they are not prompted to log in again and are taken directly in the request details.
For historical purposes, the user can also scroll to the OIM Access Request menu and see all previously completed requests and view the same details.
When the user’s manager logs into ServiceNow (since in this case they are using a manager approval chain), they are presented the same OIM access request Dashboard that shows pending approvals assigned to them.
When clicking the details of the pending approval assigned to them, they can quickly see the details of the request and are given a link to go to the OIM approval inbox to complete the request.
Once clicking the Pending Approval link, the approver is now taken to the OIM unified inbox to view the history/details of the request and complete the approvals.
Once this has been completed, the corresponding tasks and approvals are updated in ServiceNow and no longer show as pending / open requests and tasks.
The access request status syncing worked for most of the scenarios our customer had, but they also needed a means for automating the process of submitting directly from ServiceNow to OIM for requests related to physical hardware and software purchases (for application catalog/portal publishing). To do this, without requiring administrator copying and closing of orders and tasks, we built a hybrid request broker that takes orders from ServiceNow and submits them via the ServiceNow mid-server (http://wiki.servicenow.com/index.php?title=MID_Server#gsc.tab=0) directly into OIM along with tracking information to link back to the original ServiceNow request/order.
To show the hybrid request broker in action the below shows a user logged in and viewing their My Access information listing the current roles they have.
Additionally, you can see from their accounts that they have a ServiceNow application instance assigned to them for login to ServiceNow.
To simulate an access request submission from ServiceNow to OIM, we have a set of test scripts in the ServiceNow application studio in the OIM Access Requests application.
In the test script, we define the beneficiary user and role to assign to the user and click the Execute button to submit the request to OIM. At this point, a task is submitted to the mid-server to run the IDMWORKS custom class to submit the access request for the user to OIM.
Based on the ServiceNow application user not requiring an approval for the request (since has been approved already in ServiceNow), the user now has the additional role assigned to them.
When clicking the request ID assigned to the role (since is using the Requests API), the user can see the justification tracking it back to the ServiceNow request/task.
With the integration in place, both platforms are being used independently and together to provide an improved user experience for both access and issue management in the environment. Was a lot of fun building this for our customer and glad they are now able to realize the full self-service capabilities of OIM / access catalog as well as use ServiceNow as their main portal.
If you would like to hear more details on how this was done and how you can utilize the same integration, contact us and we can work with you so you can fully utilize both platforms as well.