Onboard ServiceNow AI Platform to SaaS Agent Security

1. Create a user.

   Ensure you elevate your role to security_admin before creating the user and grant read-only access to the required tables using Access Control Lists (ACLs). Or, you could also edit existing roles.

   1. Sign in to your ServiceNow instance.
   2. In the search box, start typing and select User Administration - UsersNew and enter the following details:

      • User ID
      • First name and Last name
      • Email
      • Select the Active check box and Submit the new user record.
   3. Select a role for the new user. The role must have read and write permission to the sys_gen_ai_skill_applicability table. For all other tables, only read permission is required. If necessary, you can create a custom role in ServiceNow with these specific permissions.

      The read permission will enable SaaS Agent Security to scan the ServiceNow AI Platform for agent risks. The write permission to the sys_gen_ai_skill_applicability table will enable you to remediate risky plugins from within SaaS Agent Security. Specifically, it will enable SaaS Agent Security to take the agents offline on your behalf when you select the Unpublish action.
2. Create an authentication scope to limit access to ServiceNow REST APIs.

   During onboarding, you will log in to a ServiceNow account and will grant SaaS Agent Security access to that account. SaaS Agent Security will get access to your ServiceNow account through an OAuth 2.0 integration application that you will create. Before you create the OAuth 2.0 integration application, create an authentication scope, which will limit SaaS Agent Security's access to only the Table API. You can create a scope that allows SaaS Agent Security read-only access to the Table API. Later, you will assign this scope to your OAuth 2.0 application.

   1. Log in to ServiceNow as an administrator.
   2. Make sure the REST API Auth Scope plugin (com.glide.rest.auth.scope) is activated in ServiceNow. To verify that the plugin is activated, navigate to System Definition Plugins and use the search field to locate the plugin. If the plugin isn’t installed, refer to the ServiceNow documentation to install and activate the REST API Auth Scope plugin.
   3. Create the authentication scope.
      1. Navigate to the Authentication Scopes table (sys_auth_scope.list) by using the filter navigator.
      2. Click New to define the authentication scope.
      3. Specify a meaningful Name for your authentication scope, such as SSPM Agentic Scope. You can optionally specify a longer Description.
         Make note of the authentication scope name. You will need to specify this name later when you are configuring a REST API Auth Scope and your OAuth 2.0 integration application.
      4. Submit.
   4. Create two REST API Auth Scopes and link them to your authentication scope.
      These scopes will limit SaaS Agent Security access to the Table API only. One scope will allow SaaS Agent Security read-only access (GET method). This scope will enable SaaS Agent Security to detect risks in the platform and in the agents that the platform hosts. This second scope will allow partial modification of existing resources (PATCH method). This second scope will enable SaaS Agent Security to unpublish risky plugins on your behalf.
      1. Navigate to the REST API Auth Scopes list (System Web ServicesAPI Auth ScopesREST API Auth Scope).
      2. Click New to define the REST API Auth Scope.
      3. In the Name field, specify a name for your REST API Auth Scope.
      4. From the REST API list, select Table API.
      5. Deselect the Apply auth scope to all http methods in this API check box.
      6. From the HTTP Method list, select GET.
      7. In the Auth Scope field, specify the name of the authentication scope that you created earlier. This specification links the REST API Auth Scope to the authentication scope.
      8. Submit.

      9. Repeat the preceding steps to create the second REST API Auth Scope. For this second scope, from the HTTP Method list, select PATCH.
3. Create the Application Registry (OAuth Client)

   1. Log in to ServiceNow as an administrator.
   2. Navigate to the Application Registries page (System OAuth Application Registry).
   3. In the Application Registries page, select NewCreate an OAuth API endpoint for external clients.

      Some details like Client ID and Client Secret are auto-generated. Copy them and keep it handy for the next section. Ensure the following additional details are filled in correctly:
   4. Set the Application to Global.
   5. Ensure it's accessible from All application scopes.
   6. Ensure the Active check box is selected.
   7. OAuth Application User: Enter the user you created in Step 1.
   8. Default grant type: Choose Client Credentials.

      Ensure that the system property glide.oauth.inbound.client.credential.grant_type.enabled is set to true.
   9. Specify your OAuth Scope that you created in Step 2 and Submit.

   Ensure you set the Access Token Lifespan to 3600 seconds (as seen in the above screenshot). Otherwise, your onboarding might fail.
4. Gather Required Information for Onboarding.

   After completing the configuration in ServiceNow, have the following details handy that you need for onboarding.

   • ServiceNow Instance URL: The base URL of your ServiceNow instance (for example, https://your-instance.service-now.com).
   • Client ID
   • Client Secret
5. To start onboarding ServiceNow platform to SaaS Agent Security, log in to Strata Cloud Manager.
6. Select AI SecuritySaaS AgentsAgent Platform OnboardingOnboard Agent PlatformServiceNow AI Platform.

7. Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.

8. On the Authorization Method Selection page, the API authentication method is selected by default. Click Next.

9. On the Connection page, enter the information you gathered in STEP 4 in the corresponding fields and Complete.

   • ServiceNow Instance URL: The base URL of your ServiceNow instance (for example, https://your-instance.service-now.com).
   • Client ID
   • Client Secret

   The system validates the credentials and permissions. After the validation is successful, you will see a confirmation message.
10. SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.

    The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.