SDIM Ticket Status not updated in ISC

sharvari · December 11, 2024, 1:24pm

We are am facing an issue with SDIM where the tickets get created successfully in Service Now and are marked as closed complete too but the account activity in ISC keeps showing them as Pending/Executing.

We have checked the status mappings are accurate.

The status check interval is reduced to 30 mins and even after waiting a long time, there is no change.

The account activity timestamp keeps updating the last modified date on the record but the status stays Pending in Executing stage. Ideally it should be closed complete.

Any one faced this issue recently with SDIM?

mcheek · December 11, 2024, 1:55pm

Would you be able to post the JSON for the SDIM configuration? I just want to compare it to what we have and see if there’s something missing or different

sharvari · December 11, 2024, 2:26pm

{
    "id": "",
    "name": "Service Desk Integration",    
    "description": "Service Desk Integration",
    "type": "ServiceNow SDIM",
    "ownerRef": {
        "type": "IDENTITY",
        "id": "",
        "name": "Administrator"
    },
    "clusterRef": {
        "type": "CLUSTER",
        "id": "",
        "name": "Sandbox Cluster"
    },
    "cluster": null,
    "managedSources": [],
    "provisioningConfig": {
        "universalManager": false,
        "managedResourceRefs": [            
            {
                "type": "SOURCE",
                "id": "",
                "name": "Demo Source"
            }
        ],
        "planInitializerScript": null,
        "noProvisioningRequests": false,
        "provisioningRequestExpiration": 0
    },
    "attributes": {
        "provisioningTimeout": "180",
        "clientId": "",
        "tokenUrl": "https://tenant.service-now.com/oauth_token.do",
        "serviceRequest": {
            "checkStatus": {
                "statusMap": {
                    "closed_complete": "Committed",
                    "closed_rejected": "Failed",
                    "requested": "Queued",
                    "in_process": "Queued",
                    "closed_cancelled": "Failed",
                    "closed_incomplete": "Failed",
                    "closed_skipped": "Failed"
                },
                "closeNotes": "$.result[0].close_notes",
                "resource": "/api/now/table/sc_request?number=$ticketId&sysparm_fields=request_state,close_notes",
                "responseElement": "$.result[0].request_state",
                "statusMapClosureCode": null
            },
            "provision": {
                "request": {
                    "short_description": "SailPoint Access Request $!plan.arguments.identityRequestId",
                    "opened_by": "$!{plan.arguments.opened_by|'917dc3711b905a103daa0d42604bcbb9'}",
                    "req_description": "Service Request created by Service Desk Integration Module (SDIM)",
                    "correlation_id": "$!plan.arguments.identityRequestId",
                    "description": "#if($request.operation == 'Create') Create Account on application $request.resource #elseif($request.operation == 'Delete') For $request.id in application $request.resource : Requested action from SailPoint : Delete Account #if ($request.arguments.comments), Comments : $request.arguments.comments #end #else For $request.id in application $request.resource #end #if ($request.items) $newline #foreach ($item in $request.items) #if ($item.name == '*disabled*' && $item.value == 'true') Requested action from SailPoint : Disable Account #if ($request.arguments.comments), Comments : $request.arguments.comments #end $newline #elseif ($item.name == '*disabled*' && $item.value == 'false') Requested action from SailPoint : Enable Account #if ($request.arguments.comments), Comments : $request.arguments.comments #end $newline #elseif ($item.name == '*locked*' && $item.value == 'false') Requested action from SailPoint : Unlock Account #if ($request.arguments.comments), Comments : $request.arguments.comments #end $newline #else $!item.Operation $item.name: $item.value #if ($item.arguments.comments), Comment from SailPoint : $item.arguments.comments #end $newline #end #end #end",
                    "requested_for": "$!plan.arguments.requested_for"
                },
                "requestRootElement": "items",
                "resource": "/api/x_sap_sdim/sailpoint_cart_js_api/create_ticket",
                "responseElement": "$.result.request_number",
                "catalogItem": {
                    "c250276cd1e14439b010c12491084dde": "8051258edbffb300e90690b3db9619c4"
                }
            }
        },
        "clientSecret": ""
    },
    "beforeProvisioningRule": {
        "type": "RULE",
        "id": "329616f3e40e44a7a0075163cfbcbf93",
        "name": "Sample Before Provisioning Rule for SDIM"
    },
    "credentialProviderEnabled": false
}

At this point we haven’t started customizing anything so this should be close to out of the box json.

mcheek · December 11, 2024, 2:43pm

Have you ensured that the account you’re using to connect to ServiceNow has access to the Table API endpoints?

It’s possible that it has access to the API endpoint to create the ticket but no access to the table APIs to check the status

Try running a GET against this servicenow endpoint in Postman with the credentials you’re using in SailPoint and ensure you get a return

/api/now/table/sc_request?number=$ticketId&sysparm_fields=request_state,close_notes

should look like this

{
    "result": [
        {
            "request_state": "in_process",
            "close_notes": ""
        }
    ]
}

mcheek · December 18, 2024, 2:37pm

@sharvari just curious if you ever figured out the issue here.

vattercw · December 18, 2024, 3:00pm

Hi @mcheek, quick update on this. It is a permissions issue with the OOTB x_sap_sdim.admin role. We applied the ServiceNow admin role to the service account and were then able to detect the closures within ISC. Currently we are in the process of determining what permissions are needed sans admin and will update this post with the permissions we determine are needed.

mcheek · December 18, 2024, 3:08pm

The account would need access to read from the sc_request table. Granted, the application includes an ACL that should allow this access

However, it’s often the case that other ACLs on that table will be in conflict with this one, preventing it from working as needed.

I would suggest adding the itil role to that user and see if it works.

vattercw · January 6, 2025, 8:31pm

So we finally tracked down the culprit on this issue. The ServiceNow tenant we are connecting with does not have the sn_request_read role available which is what the x_sap_sdim.admin account is looking for, as it is an inherited role. This role is provided as part of the ITSM Roles — Incident Management application that must be installed from the ServiceNow store for tenants upgrading to New York from previous versions: ITSM product-specific read roles sn_incident_read, sn_problem_read, sn_change_read, sn_request_read and approver_user unavailable after activating com.snc.business_stakeholder plugin - Support and Troubleshooting

Once this application was installed, the correct roles were inherited and tickets could be read properly.

system · March 7, 2025, 8:32pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.