License Auditing in ServiceNow
I’ll start with stating what I’m sure will be obvious shortly, I’m new to ServiceNow. I’ve been on the fulfiller side of it for years but I’ve now become the wizard behind the curtain. With that comes a lot of responsibility but one of the easier ones for me to tackle, right off the bat, was ensuring that the proper people were licensed up. I’m not even remotely a ServiceNow expert and, as is my way, I look for the most straight-forward ways to accomplish my goals and only complicate that when necessary. Being cute is fun but when things start breaking it’s all the more challenging to track it down.
Getting information out of ServiceNow
This might be a smooth brain maneuver but in searching for the best ways to get information about my user licenses out of ServiceNow I immediately got rid of the idea of the API. There must be something built in to this incredible platform. I found something: Export Sets. Now there are some considerations to this whole waves hands thing so I’ll lay those out now.
- Fulfiller licensing is typically based on groups in Active Directory.
- The bulk of our fulfiller licensing is limited to the
itil
role. - We have a MID server in our environment.
I don’t think that anything here is terribly unique to my environment. Having groups linked to Active Directory groups allows for management mechanisms that have been in place for years continue to work in regards to ServiceNow. The MID server enables a lot of further expansion into the environment and is likely very common. There may be locations that use other roles than itil
primarily and that’s fine too–you can adapt this easily enough.
A crash course on export sets
Export sets are a… medium complicated structure for getting data out of the platform. I fully understand the reasoning behind it, and in going through this exercise I’ve learned a significant amount about ServiceNow’s design in a density that is unmatched by any YouTube video or online course. I’ll state the obvious: in the navigation bar, type “export” and you should see the “System Export Sets” category with some entries. I’m not certain which role controls this (the amount of roles is nearly comical and I realize now that it’s because of the complexity, and intended use, of the platform) but I think it would be safe to say that admin
will take care of it. There’s a “Getting Started” link if that’s more your speed but I’ll go through this a bit quicker and a lot dirtier.
You may click “Create Export Set” and it will somewhat guide you through the following process. I didn’t do that. I started with “Export Definitions”. It’ll show you the normal list view that ServiceNow offers so go for that “New” button towards the top. Give it a name and select the “User Role” table. The fields that worked out for me were State, User, Role, User.DN, User.Department, User.Title
and I’ll explain that shortly. For the filter I just used the filter builder and added the condition Role is itil
and that’s it. That’s going to spit out information on everyone with an itil
role because that’s exactly what I, in this case, am interested in. I don’t need a dump of hundreds of thousands of accounts.
Now we have an Export Definition so we then need an Export Target. Go into “Export Targets” and dive for that “New” button one more time. The Export Target is literally “where will this file go” and the answer is “on a MID server somewhere” so we give the target a name, pick the MID server from the dropdown, and provide a file path. Note in the callout that it provides you the root of the file path. By that I mean this file path is relative to the root provided in the callout. That’s the long way to explain it but the tldr is that it will be in your agent installation path on the MID server and you may need someone to track that down for you. I had to search a little bit but my folks have some level of convention so it didn’t take me too long to find it. Give it a file path and offer a description if you so choose.
Making lemonade. If you didn’t go through the wizard you’ll need to create a new Export Set which is in “Export Sets”. Here you’ll give the export set a name, and give it a file name. This file will appear in the relative path that you specified in the Export Target. You can also select export format here as well–I’m going for CSV. For this purpose everything else is going to pretty much be default. You’ll need to set the export definition in the tab at the bottom “What to export” and then the target at the “Where to export to” tab. This is why we needed to create those objects (are they even called objects in this platform?) beforehand.
Then we need to create a Scheduled Export because we still can’t quite export anything. Give it a name and an export set. I don’t think you’ll want deltas on this. Make it active. The schedule won’t matter too much but, obviously, making it run constantly is both pointless and wasteful. We’re going to manually execute it anyway. Once the Scheduled Export exists you can click on it in the list view and use the button at the bottom “Execute Now”. That’s going to put the file where you said it should go.
Repeat the same process, creating a new export definition with a different name and the table “Group” (sys_user_group
) with the fields name, description, active, manager,parent,sys_updated_on,u_dn,sys_created_on,sys_create_by,roles
. You can reuse the same export target but you will need to create a new export set (which is good because you can give it a different name). Create a new scheduled export with this new export set and then execute it. You’ll now have the group list and the user list.
Pruning the groups in AD
Recall that we run our group memberships in ServiceNow by syncing them to groups in Active Directory (for the most part). We have orchestration for employees who have changes in their employment status and I can use that information in AD to then proceed to remove the users from any of these groups.
./content/posts/license-auditing-in-servicenow.md 10:30 warning Use first person (such as Microsoft.FirstPerson 'I'm') sparingly. 10:64 warning Use first person (such as Microsoft.FirstPerson 'I'm') sparingly. 10:259 warning Use first person (such as Microsoft.FirstPerson 'me') sparingly. 10:346 warning Use first person (such as Microsoft.FirstPerson 'I'm') sparingly. 10:399 warning Use first person (such as Microsoft.FirstPerson 'my') sparingly. 10:406 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 10:463 warning Use first person (such as Microsoft.FirstPerson 'my') sparingly. 13:99 warning Use first person (such as Microsoft.FirstPerson 'my') sparingly. 13:133 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 13:243 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 15:15 warning Try to avoid using Microsoft.We first-person plural like 'our'. 16:3 error Use 'we've' instead of 'We Microsoft.Contractions have'. 16:3 warning Try to avoid using Microsoft.We first-person plural like 'We'. 16:27 warning Try to avoid using Microsoft.We first-person plural like 'our'. 18:1 warning Use first person (such as 'I Microsoft.FirstPerson ') sparingly. 18:37 warning Consider removing 'terribly'. Microsoft.Adverbs 18:56 warning Use first person (such as Microsoft.FirstPerson 'my') sparingly. 18:317 warning Consider removing 'very'. Microsoft.Adverbs 18:436 warning Consider removing 'easily'. Microsoft.Adverbs 21:18 warning In general, don't use an Microsoft.Ellipses ellipsis. 21:241 error Use 'that's' instead of 'that Microsoft.Contractions is'. 21:431 warning Use first person (such as Microsoft.FirstPerson 'I'm') sparingly. 21:496 warning Consider removing 'nearly'. Microsoft.Adverbs 21:514 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 21:604 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 23:130 error Punctuation should be inside Microsoft.Quotes the quotes. 23:336 warning Use first person (such as Microsoft.FirstPerson 'me') sparingly. 23:447 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 23:629 warning Use first person (such as ' I, Microsoft.FirstPerson ') sparingly. 23:664 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 25:5 error Use 'we've' instead of 'we Microsoft.Contractions have'. 25:5 warning Try to avoid using Microsoft.We first-person plural like 'we'. 25:39 warning Try to avoid using Microsoft.We first-person plural like 'we'. 25:251 warning Try to avoid using Microsoft.We first-person plural like 'we'. 25:417 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 25:563 warning Prefer 'personal digital Microsoft.Terms assistant' over 'agent'. 25:657 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 25:691 warning Use first person (such as Microsoft.FirstPerson 'my') sparingly. 25:748 warning Use first person (such as Microsoft.FirstPerson 'me') sparingly. 27:107 error Punctuation should be inside Microsoft.Quotes the quotes. 27:321 warning Use first person (such as Microsoft.FirstPerson 'I'm') sparingly. 27:557 warning Try to avoid using Microsoft.We first-person plural like 'we'. 29:8 warning Try to avoid using Microsoft.We first-person plural like 'we'. 29:55 warning Try to avoid using Microsoft.We first-person plural like 'we'. 29:126 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 29:295 warning Try to avoid using Microsoft.We first-person plural like 'We'. 29:443 error Punctuation should be inside Microsoft.Quotes the quotes. 33:26 warning Avoid using acronyms in a Microsoft.HeadingAcronyms title or heading. 34:13 warning Try to avoid using Microsoft.We first-person plural like 'we'. 34:20 warning Try to avoid using Microsoft.We first-person plural like 'our'. 34:123 error Use 'we've' instead of 'We Microsoft.Contractions have'. 34:123 warning Try to avoid using Microsoft.We first-person plural like 'We'. 34:206 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly. 36:210 warning Use first person (such as ' I Microsoft.FirstPerson ') sparingly.✖ 7 errors, 47 warnings and 0 suggestions in 1 file.