Automatically Assigning ServiceNow Catalog "x_sap_intidn.user" Role for New Users

We are integrating SailPoint ISC with ServiceNow Catalog. As per the documentation, users need to have the ServiceNow role x_sap_intidn.user assigned in order to submit access requests through the catalog.

The documentation provides a script to assign this role to all existing users. However, I am trying to understand how this should be handled for newly onboarded users going forward.

My questions are:

  1. What is the recommended approach to automatically assign the x_sap_intidn.user role to new users in ServiceNow?
  2. Is it possible to aggregate this role into SailPoint ISC as an entitlement and manage it through SailPoint?
  3. If so, can this role be assigned as birthright access from SailPoint to ServiceNow, and what configuration would be required to achieve this?
  4. Are there any best practices or alternative approaches that others have used in production environments?

Yes, you can use a role in ISC and have the entitlement assigned using the ServiceNow governance connector

Thanks. So, does that mean we need to have a group created in the sys_user_group table? We currently have ServiceNow integrated with SailPoint, but we don’t see the entitlement being aggregated into SailPoint.

You can, but you don’t have to. It depends on how your servicenow team prefers to manage access. Some are fine with assigning roles directly, some always want to use groups. There is no right answer.

Are you not seeing that specific role or are you not seeing any roles at all?

The specific ServiceNow catalog group—I assume that, out of the box, the role won’t be present in the sys_user_group table unless a group has been explicitly created. Is that correct?

Correct. Servicenow allows you to assign roles to groups - then when you add a user as a group member, they inherit roles tied to that group

Hi @mcheek quick question
The role x_sap_intidn.user provides access only to the Manage_Access page. What if I want end users to be able to request access through “ISC Request Page Sample 1” or the “SailPoint Access Request 2” record producer?

Those two items were built for the purpose of demos, and as such, they have a user criteria that only allows users with x_sap_intidn.sapadmin to access them

If you wish to use them, you probably should copy them and remove the criteria from the available for related list