SNOW ticket not being created for Role Composition Certification Campaign

Hi Experts,

We are experiencing issues with the ServiceNow ticket creation process (we are using the SDIM) following certification campaigns in ISC. Specifically, for Role Composition Certification, tickets are not being created in ServiceNow, although ticket creation works for User to Role Certification for revoke access.

These are the following fields to be populated in the ServiceNow ticket:
a. Requested For - The identity whose account is being revoked (applicable for User to Role Certification only).
b. Requested By - Service Account
c. Description - Campaign details (such as the access being revoked, account source, account name, and any certifier comments from the campaign; formatted in a human-readable manner).
d. Category - Access Control
e. System - If AD, then AD Account. Else, Application

We have tried inputting the sys_id in the “Requested For” field in ISC configuration page, but still not working.

We are not sure why there is no ticket being created when we do a Role Composition Certification?

Additionally, would like to ask:

1. How can we identify which work items were triggered by a certification campaign?
2. How can we confirm that these work items in ISC are closed once the corresponding ServiceNow ticket is resolved?
3. How can the “campaign details” such as Certification Name, Certification Description, the certifier comments be included in the ticket Description? Cause currently, we are unable to include certification related variables in the SNOW ticket.

Thank you in Advance!

Here is what is currently configured:

Requested_by: (sys_id)
System: #if($request.resource == ‘DEV Active Directory [source]’) AD Account #else Application #end
Request_description: SailPoint IdentityNow Certification Remediation Request $newline Summary of Access Removal: $newline Identity Name: $!plan.arguments.identityName $newline #foreach($request in $plan.requests) Account Name to be removed: $!request.id $newline Source of Account: $!request.resource $newline Entitlements to be removed: $newline #if($request.items) #foreach($item in $request.items) $!{item.Operation} attribute ‘${item.name}’ with value: ${item.value} $newline #end #else No entitlements listed for removal. $newline #end #end Certification Campaign: $!plan.arguments.sourceName
Requested_for: $!plan.arguments.requested_for
Category: Access Control
Requestor_group: (sys_id)

Role Composition often deals with roles rather than individual identities so there might be $!plan.arguments.requested-for might be null in this context try to add logging or debug output to check if $!plan.arguments.requested_for is populated during role composition campaign.

I don’t think ServiceNow ticket will be generated for a Role Composition Campaign. Work Item will be created and assigned to the Role Owner. Can you please check if Work Item is created and assigned to the Role Owner ?

Hi @RAKGDS, yes workitem is being created.

image666×239 8.36 KB

Hi @jinmartin,
I don’t think you can do an integration with Service Desk as this is more of internally to IdentityNow and the action needs to be taken within IdentityNow. You can try using a workflow

Thanks

Hi @RAKGDS , i tried using now a workflow for creation of SNOW ticket, but im experiencing this error.

image617×769 33.3 KB

Hi Jinky,
For the Workflow to create the ticket, can you just try to create a simple ticket without Custom fields ? Once you are able to create the ticket in ServiceNow then you can go for Custom Fields.

Thanks

Hi @RAKGDS, yes i tried to empy the custom Fields, but im still receiving the same error.

**Update
SDIM does not work with Role Composition Certification as this relay on Identity Source, wherein the Role Composition does not have an Idenity, as an Alternative, im using a Workflow to trigger the SNOW ticket creation.

Hi @jinmartin,
As mentioned earlier you cannot have a ServiceNow ticket generated during Role Composition certification. The only way is to trigger using Workflow.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.