A thumbprint scan icon on a thumbs-up gesture surrounded by a digital grid of padlocks.

Automating Access Revocation Tickets with ServiceNow Guide

Date Posted:

Category:

Security

Author:

Anjana

A thumbprint scan icon on a thumbs-up gesture surrounded by a digital grid of padlocks.

Automating Access Revocation Tickets with ServiceNow Guide

Date Posted:

Category:

Security

Author:

Anjana

A thumbprint scan icon on a thumbs-up gesture surrounded by a digital grid of padlocks.

Automating Access Revocation Tickets with ServiceNow Guide

Date Posted:

Category:

Security

Author:

Anjana

Automating Access Revocation Tickets: Integrating SailPoint ISC with ServiceNow ServiceDesk

Why Service Desk Needs Integration to SailPoint

Every day, employees leave companies, change roles, or lose the need for specific system access. SailPoint Identity Security Cloud (ISC) catches these violations during certifications and policy checks. But the weakest link in security posture is when someone has to manually open a ServiceNow ticket, assign it to the right team, and hope it doesn't fall through the cracks.

This blog describes exactly how to close that gap by connecting SailPoint ISC directly to ServiceNow, so that when ISC flags an access revocation, a properly structured ticket appears in the service desk queue automatically, routed to the right resolver group, with all the context that’s required.

What ServiceNow Does

ServiceNow is an IT service management (ITSM) platform. The service desk team triages incidents, working through change requests, and closing tasks. It is the operational layer that turns a governance decision into real-world action such as accounts getting disabled, permissions getting removed, and the evidence is documented in the ticket record.

Architecture

The integration works in three stages:

Stage 1 - Revocation tickets from ISC
Certification campaigns or policies are run on the ISC side for the required applications for governance purposes. When a reviewer marks the access for revocation, ISC generates a revocation event which is ServiceNow ticket in this case.

Stage 2 - Ticket in Transmission
ISC sends the revocation ticket to ServiceNow via a REST API call. The API call mostly includes the identity details, the entitlement being revoked, the reason for revocation and any other necessary details. 

Stage 3 -  ServiceNow Ticket
ServiceNow receives the ticket, creates an Incident, populates the relevant fields, and assigns it to the appropriate teams. Relevant application teams work on the ticket, complete the revocation, and resolve it. ISC now takes this as a closed loop during the next aggregation.

Configuration and Integration Setup

Steps

  1. Set up a ServiceNow Governance Connector to get all the accounts in the organization so that ServiceDesk can identity the users.

  2. Create a Service Account with the required access.

  3. On the Service Now side, create Sys_IDs for the applications from which the entitlements need to be revoked.

  4. Using the Sys_IDs, and the service desk connector on the ISC side, the Service Desk is integrated.

  5. The necessary changes are made to the fields in ISC.

  6. This can be tested by either testing a revocation or by testing an access request.

Closed Loop Remediation

If ISC never learns that the ticket was resolved and the access was actually removed, certifications remain open indefinitely, creating audit issues. The write-back pattern solves this by having ServiceNow notify ISC when a revocation ticket is resolved. ISC then marks the corresponding certification item as complete. This is called closed loop remediation which occurs when the identity is aggregated back to SailPoint after revocation. Through Native change detection, ISC identifies that access has been removed and the ticket is moved to Closed state ensuring the loop is closed.

Governance

One of the most important outcomes of this integration is the audit trail which is created automatically. Both ISC and ServiceNow maintain timestamped records of every action. For compliance purposes, reviewers need evidence that access was not just marked for revocation but actually removed. The combination of an ISC certification record (showing the decision) and a resolved ServiceNow ticket (showing the action) provides that evidence.

Additional Developments that can be done

  • Extend to provisioning: The same ServiceNow integration can be used to open tickets when ISC approves new access requests, not just revocations.

  • Add manager notifications: A ServiceNow notification can be sent to the affected user's manager when a revocation ticket is opened.

  • Automate the removal itself: For applications where ServiceNow has a direct connector, the ticket's workflow can be configured to automatically trigger the deprovisioning action.


Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Security

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Stay tuned to our blog to see more posts about

Sailpoint products implementation and its related updates.

Category:

Category:

Security

Security

Get your

Tailored Quote for your

Organisation

Get your

Tailored Quote for your

Organisation

Automating Access Revocation Tickets: Integrating SailPoint ISC with ServiceNow ServiceDesk

Why Service Desk Needs Integration to SailPoint

Every day, employees leave companies, change roles, or lose the need for specific system access. SailPoint Identity Security Cloud (ISC) catches these violations during certifications and policy checks. But the weakest link in security posture is when someone has to manually open a ServiceNow ticket, assign it to the right team, and hope it doesn't fall through the cracks.

This blog describes exactly how to close that gap by connecting SailPoint ISC directly to ServiceNow, so that when ISC flags an access revocation, a properly structured ticket appears in the service desk queue automatically, routed to the right resolver group, with all the context that’s required.

What ServiceNow Does

ServiceNow is an IT service management (ITSM) platform. The service desk team triages incidents, working through change requests, and closing tasks. It is the operational layer that turns a governance decision into real-world action such as accounts getting disabled, permissions getting removed, and the evidence is documented in the ticket record.

Architecture

The integration works in three stages:

Stage 1 - Revocation tickets from ISC
Certification campaigns or policies are run on the ISC side for the required applications for governance purposes. When a reviewer marks the access for revocation, ISC generates a revocation event which is ServiceNow ticket in this case.

Stage 2 - Ticket in Transmission
ISC sends the revocation ticket to ServiceNow via a REST API call. The API call mostly includes the identity details, the entitlement being revoked, the reason for revocation and any other necessary details. 

Stage 3 -  ServiceNow Ticket
ServiceNow receives the ticket, creates an Incident, populates the relevant fields, and assigns it to the appropriate teams. Relevant application teams work on the ticket, complete the revocation, and resolve it. ISC now takes this as a closed loop during the next aggregation.

Configuration and Integration Setup

Steps

  1. Set up a ServiceNow Governance Connector to get all the accounts in the organization so that ServiceDesk can identity the users.

  2. Create a Service Account with the required access.

  3. On the Service Now side, create Sys_IDs for the applications from which the entitlements need to be revoked.

  4. Using the Sys_IDs, and the service desk connector on the ISC side, the Service Desk is integrated.

  5. The necessary changes are made to the fields in ISC.

  6. This can be tested by either testing a revocation or by testing an access request.

Closed Loop Remediation

If ISC never learns that the ticket was resolved and the access was actually removed, certifications remain open indefinitely, creating audit issues. The write-back pattern solves this by having ServiceNow notify ISC when a revocation ticket is resolved. ISC then marks the corresponding certification item as complete. This is called closed loop remediation which occurs when the identity is aggregated back to SailPoint after revocation. Through Native change detection, ISC identifies that access has been removed and the ticket is moved to Closed state ensuring the loop is closed.

Governance

One of the most important outcomes of this integration is the audit trail which is created automatically. Both ISC and ServiceNow maintain timestamped records of every action. For compliance purposes, reviewers need evidence that access was not just marked for revocation but actually removed. The combination of an ISC certification record (showing the decision) and a resolved ServiceNow ticket (showing the action) provides that evidence.

Additional Developments that can be done

  • Extend to provisioning: The same ServiceNow integration can be used to open tickets when ISC approves new access requests, not just revocations.

  • Add manager notifications: A ServiceNow notification can be sent to the affected user's manager when a revocation ticket is opened.

  • Automate the removal itself: For applications where ServiceNow has a direct connector, the ticket's workflow can be configured to automatically trigger the deprovisioning action.


Next Blog

Next Blog