Access Requests with ServiceNow
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
- Available for:
With Teleport's ServiceNow integration, engineers can access the infrastructure they need to resolve incidents quickly, without granting longstanding admin permissions that can become a vector for attacks.
Teleport's ServiceNow integration allows you to treat Teleport Access Requests as ServiceNow incidents, notify the appropriate on-call team, and approve or deny the requests via Teleport.
This guide will explain how to set up Teleport's Access Request plugin for ServiceNow.
A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.
tctladmin tool and
tshclient tool version >= 14.2.0. You can download these tools by visiting your Teleport account. You can verify the tools you have installed by running the following commands:tctl version
Teleport Enterprise v14.2.0 go1.21tsh version
Teleport v14.2.0 go1.21
A Teleport Enterprise Cloud account. If you do not have one, visit the signup page to begin a free trial of Teleport Team and upgrade to Teleport Enterprise Cloud.
tctladmin tool and
tshclient tool version >= 14.1.3. To download these tools, visit the Downloads page.tctl version
Teleport Enterprise v14.1.3 go1.21tsh version
Teleport v14.1.3 go1.21
- An ServiceNow account with access to read and write to and from the 'incident' table.
- The ServiceNow integration is currently only available in Teleport Cloud.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
We will configure the ServiceNow plugin to create an incident when certain users create an Access Request.
The Teleport ServiceNow plugin works by receiving Access Request events from the Teleport Auth Service and, based on these events, interacting with the ServiceNow API.
Before making the access request ensure the user making the request has
At this point, you have a ServiceNow user that the ServiceNow plugin will use to connect to the ServiceNow API. To configure the plugin to use this user navigate to Management -> Integrations -> Enroll New Integration.
The plugin requires credentials that can read and write to the incident table.
As the Teleport user
myuser, create an Access Request for the
A Teleport admin can create an Access Request for another user with
tctl request create myuser --roles=editor
Users can use
tsh to create an Access Request and log in with approved roles:
tsh request create --roles=editorSeeking request approval... (id: 8f77d2d1-2bbf-4031-a300-58926237a807)
Users can request access using the Web UI by visiting the "Access Requests" tab and clicking "New Request":
In ServiceNow, you will see a new incident containing information about the Access Request.
Once you receive an Access Request message, click the link to visit Teleport and approve or deny the request:
You can also review an Access Request from the command line:
Replace REQUEST_ID with the id of the requesttctl request approve REQUEST_IDtctl request deny REQUEST_ID
Replace REQUEST_ID with the id of the requesttsh request review --approve REQUEST_IDtsh request review --deny REQUEST_ID