ServiceNow Implementation Cert quizlet Flashcards
what does S.O.A.P. stand for?
Simple Object Access Protocol
What are the four parts of SOAP message transformation
- Endpoint
- Action
- Headers/Attributes
- Envelope
Action, endpoint, and envelope are all populated automatically based on the Web Service Descriptive Language (WSDL) definition.
What is a SOAP Endpoint
This is the URL or Address where the SOAP request is delivered. It must be able to reach that endpoint over the network in order for the communication to succeed.
What is a SOAP Action
String that is often optional with the SOAP web service. However, some services do require this to be set. The string is often descriptive of what action should be performed by the web services.
SOAP Headers/Attributes
Found within the HTTP request. They contain information regarding the protocol being used as well as other custom information such as session IDs, authentication token, etc.
SOAP Envelope definition
Actual document that describes the details of the SOAP request. This is written in XML format. Has a header and a body similar to an HTML webpage. Header and body details are dictated by the web service and explained in a corresponding WSDL document
SOAP Envelope Elements
- Main document
- Header (optional)
- Body
- Fault Element (Optional)
SOAP Envelope Header
Often contains processing instructions for the envelope, but it is not used in all web services
SOAP Envelope Body
Main part of the envelope, required for SOAP requests. Contains the actual message or request that is to be delivered to the web service
SOAP Envelope Fault Element
Often present if there was an error processing the web service request. The web service is responsible for populating this element with descriptive information to help the consumer understand what went wrong, and/or what to do next.
SOAP WSDL
Another XML document that is used in the SOAP protocol. It is a catalog of available functions provided by the web service. A SOAP web service consuming client information should be able to read this and generate a template of each of the available service requests provided by the web service.
What are the 3 Main steps in SOAP communication flow
- Client generates an XML envelope document and sends it to the service as a SOAP request.
- Server receives the SOAP request and processes that request in the manner in which it was coded.
- Server sends a SOAP response back to the client with an answer or response to the request that was submitted.
How to generate a sample SOAP Message
UI action “Generate sample SOAP Message” - will generate templates for all of the available services provided by that SOAP web service.
How does a SOAP Message UI connect to a Web Service
It can either specify a URL to a WSDL document or paste the WSDL document contents directly into the tool
SOAP Message Function UI
- You can open a function record to view details on the template for the request
- Check the Lock field to ensure that future regenerations of SOAP functions do not overwrite the changes that you make to the current template
- SN Supports the use of basic authentication, WS-security with outbound SOAP requests.
- Customize SOAP action or endpoint manually by changing the text. May need to click the lock button to change the endpoint URL
Where do you create test values for SOAP message variables
SOAP Message Function UI - OPEN message parameters section
What are the most common ways to call SOAP Messages through script?
Server-side scripts including:
- Business Rules
- Script Includes
- Workflows
What is the SOAPMessage Library
Application Program Interface (API) Around SN Graphical User Interface for Soap Messages (SOAP Message UI) Can be used to set point values, set variables, submit request, etc.
Which Script includes from the Script Includes library support users who are sending out SOAP requests
1) SOAPMessage - supports the SOAP Message UI
2) SOAPEnvelope - Used behind the curtain by SOAP Message UI, can be leveraged directly by an admin to create custom messages, bypassing the UI
3) SOAPRequest - Same as above
XPATH
Standard mechanism used to parse XML documents
XPATH Character - /
Most basic and primary element. Level separator similar to Linus/UNIX paths on a file system
XPATH Character - //
Denotes a relative path, rather than a strict path
XPATH Character - *
Wildcard character in a string
How do you use XPATH to get values out of an XML document?
Script include - XMLDocument
What is the most common operation performed by an XML Document Script include
getNodeText - takes an XPATH string in and attempts to parse the XML document with the XPATH to find the element you are looking for and returns the content of that element node
XML Helper
- Includes a number of functions.
- Allows you to access parts of the XML document as if the various elements were member variables to an object. Each level down the XML document is represented by member variables that are new objects themselves.
- Most commonly used function will take XML string and convert it to a JavaScript object.
REST
- REpresentational State Transfer
- Lightweight alternative to SOAP
- Very Loose Specification
- Better suited to scale & performance
- Most modern web applications are REST
ServiceNow REST functionality allows you to:
Retrieve, Create, Update, or Delete data on a web server
HTTP Methods supported by REST
- Get
- Post
- Put
- Delete
REST Request and Response Elements
- Request URL: specifies the address of the resource plus the HTTP verb
- Query Parameters: optional and appended to the URL path of the request
- HTTP Headers : required component of the message and contain metadata for the transaction (encoding, date, authorization, etc.)
- Content or Body: optional, contains data to be transmitted
Rest Message UI
- Similar to SOAP Message Tool
- Requires an Endpoint
- Generates the four HTTP Methods as Functions
- Endpoint can use variables - ${varName}
Describe the following REST Function Option:
Variables
- Can be used in various parts:
- Endpoint URL
- Header names or values
- Function parameter definition names or values
- Content
Describe the following REST Function Option:
Connectivity Options
- Authentication
- MID Server
Describe the following REST Function Option:
Access to HTTP Request Components
- Headers
- Parameters
- Content (POST, PUT only)
Describe the following REST Function Option:
Set Variable values
String v. XML
What are the REST Function Options
- Variables
- Connectivity
- Access to HTTP Request components
- Set Variable Values
- Test the request
- Preview script usage
Stages of StartNow implementation methodology
- Plan
- Discover
- Prepare
- Deploy
- Operate
- Transform
What type of VPN does ServiceNow support?
Site-to-Site between data center and customer data center
What is VPN typically used for?
- Securing (encrypting) connections which originate at ServiceNow and destined for the customer’s network
- Access to customer’s LDAP server
- JDBC access/integration with a customer’s database
How many VPN tunnels does ServiceNow support and why
Minimum of 2, maximum of 4. Not supported to serve multiple geographic regions or disparate networks within client organiztion
How do you request VPN?
Through HI. Typically takes 2 weeks
VPN for LDAP
Recommended that customers implement LDAPS (LDAP over SSL) v. standard LDAP (non-encrypted). Standard LDAP integration communicates over TCP on port 389. LDAPS communicates over TCP on 636 and requires a digital certificate which must be uploaded to the instance. VPN to be used if LDAP instead of LDAPS
VPN for JDBC & Web Services
Recommended to install Mid Server inside network, Mid server will communicate with instance over HTTPS
VPN for email integration
Not supported if ServiceNow is configured to utilize mail.service-now.com for SMTP and POP3, utilizes opportunistic TLS. If incoming server supports TLS, traffic is envrypted. If not, uses regular SMTP without encryption.
Supported if customer’s mail server is being used
DIT
Data is represented in an LDAP enabled directory as a hierarchy of objects, each of which is called an entry. Resulting tree structure is called a Data Information Tree (DIT)
DN (LDAP)
Distinguished name - fully qualified path in an LDAP tree
RDN (LDAP)
Each unique data attribute that is part of a Distinguished name is called a Relative Distinguished Name (RDN)
What are the requirements for LDAP Server Configuration in the Graphical User Interface (GUI)
- Name
- Server URL
- Login distinguished name
- Login password
- Starting search directory
- Organizational Unit (OU) Definition
LDAP Organizational Unit (OU) Definition
Define directories that are the source for the imported data. Can contain locations, people, or user groups
Types of LDAP Communication channels
- Mid Server (can be used to import data but not for authentication)
- Standard LDAP - communicates over TCP, does not require a certificate
- SSL-encrypted (LDAPS), requires x.509 certificate
- VPN, communicates over IPSEC tunnel
Testing LDAP Connection
- Manually through UI action
- Automatically - SN tests every 15 minutes by default
Company Settings
- System Properties - My Company
- Can Modify
- Banner Text
- Primary (T/F)
- Banner Image (upload)
- Further modifications made in glide.product.___ properties
Where is Login Page Configuration adjusted
System UI > Welcome Page Content
Where are System Schedules found
System Scheduler > Schedules
Where are homepage configurations made
- Homepage Admin > Pages
- Has Read/Write roles
- Can edit by clicking Edit UI Action
Levels of Contextual Security
several layers before an end user has the capability to perform CRUD (create, read, update, delete) operations on a table
- User Authentication/Login
- User Interface
- Database
What does the User Authentication/Login security level govern
- Users
- Groups
- Roles
User Interface security level
Governs Applications and Modules and is governed by roles configured at application and module level
Database Security Level
- Governs table and field access
- controlled via globally defined system properties as well as table and field level Access Controls
- If a row level rule and a field level rule are in conflict, both must be true before an operation is allowed
Features of Contextual Security
- Protects a record based on its contents and table location
- Data is acted upon based on the position of the information in the table hierarchy
- Defnes Access Control rules to any level in the object hierarchy
- Uses roles to implement Access Controls and assign permissions, for example, read, write, and create
What is an access control
Security rule defined and set at the row-level (access to the record) and at the column-level (access to the field) and is executed when attempting to access any servicenow table. Specifies and is named for the object(s) being secured
What is an ACL
Access control list, list of all the Access Controls for a table
Three ways Access Controls are defined
- Roles (if more than one, must have at least one)
- Conditional Expressions (evaluates to true or allow if condition is met)
- Scripts (setting answer to allow or deny)
Access Control Wildcard Rule
Selection of the wildcard symbol from the name drop down list on the access control form means that the rule in question applies to all fields on the selected table except for those with explicit rules
ACL Evaluation order
- Most specific to least
- Starts at field, then goes to table
Field ACL rule evaluation order
Find first matching:
1) table.field (incident.number)
2) parent_table.field (task.number)
3) .field (.number)
4) table. (incident.)
5) parent_table. (task.)
6) . (.)
Table ACL rule evaluation order
If no field ACL match was found or if a Match was found and the ACL evaluated to Pass the table must be evaluated:
- Match the table name. For example, incident
- Match the parent table name. For example, task
- Match any table name (wildcard). For example, *.
If No matches above are found or if a Match is found and the ACL evaluated to Pass User access to the record object is granted.
Three main security modules:
- System Properties > Security - can set default behavior for no ACLs
- System Security > Access Control - manages ACLs
- System Security > High Security Settings - set tighter security options
Evaluation order of ACL elements
- role
- condition
- script
Elements of the ServiceNow Application Security Model
- Contextual Security (ACLs, etc.)
- IP Address Access Controls (System Security > IP Address Access Control) - allow or deny certain IP ranges
- Encryption
Keys to Success with security
- Risk-based & Data-centric
- know what you are storing
- consult with security to understand requirements
- Secure 1st, develop 2nd
- configure security settings up front
- apply ACLs at the beginning of development
- documented approach
- checklist at key phases
- starting points
- remove demo data
- upgrade to latest version
- identify plugins such as high security
Name of plugin that supports field encryption
Encryption Support
How do users get encryption contexts
Admin creates the context, assigns it to a role
Which operations can be secured through ACLs
- CRUD
- Execute
- Edit Task Relations
- Edit CI Relations
- Save as Template
- Add to List
- List Edit
- Report on
- Personalize choices
What do Access Control Rules Apply to?
- Records
- UI Pages
- Processors
- Client Callable Script Includes
How many ACLs come OOtB
Over 4,500. Add all plugins, >6,000
ACL Script Evaluation, built in GlideRecord methods
- canRead()
- canWrite()
- canCreate()
- canDelete()
Predefined ACLs by role
- End Users
- Submit records in some applications (create)
- Read and update their own records in those applications
- Fulfillers
- general read and write access for applications they have a role for
- task assignment
- application/process administrators
- delete records
- change state to closed
How are ACL rules matched?
- From most specific to least specific
- processing orders define matching criteria
- For record rules a table and field rule will be searched for
- both are evaluated
- First rule to match for both is evaluated for each processing level (if parent_table.field matches, it won’t go to next level for field)
What happens if there are multiple ACL rules at the same processing level?
any passed rule will allow access
What happens if a user fails a table ACL rule
- User is denied access to all fields in the table even if the user previously passed a field ACL rule
- list of table will show security constraint message
What happens if a user fails a field ACL rule but passes a table ACL rule
User is denied access to the field
What happens when a table write rule fails
All fields will be read-only unless there is not a more specific field rule
What happens when a table create rule fails
user will not have the “new” button
What happens when a field write rule fails
field will be read-only
Security debug
System Security > Debug Security Rules
Session Specific
Creating an Encryption context
- Define:
- Name
- Encryption Key (if left blank, SN will auto-gnerate). SN can’t retrieve user-defined keys
Creating an encrypted field
Add a new field with Type: Encrypted Text
Encryption context selector
For users with multiple encryption contexts
System UI > UI Macros > encryption_select. Shows under gear. Only shows for users with multiple contexts
What happens to encrypted fields if a user has no encryption contexts
Form hides the encrypted field
What happens when a user has one encryption context and there is no data in an encrypted field
form displays encrypted field. When a user enters data in the field, the field automatically uses the currently selected encryption context to encrypt the field
What happens when a user has one encryption context and there is data in an encrypted field
If the user has the matching context, the form displays the field
If a user has multiple encryption contexts and there is no data in an encrpyted field
form displays the field and when the user enters data, field is encrypted using currently selected context
User has multiple encryption contexts and there is data in the field
User will have access to the field if they have the matching context. Encrypted field always uses the original encryption context to encrypt changes to the field. Prevents users with multiple contexts from changing field context
Encrypting attachments
Users with >=1 encryption contexts will get Encrypt File checkbox. If they have >1, they are asked to confirm the context
How to identify which encryption context a field or attachment is using
Hover over the encryption (lock) icon and it will display
Encrypting passwords in System Properties
the Encrypt SysProperty Password business rule automagically encrypts value of any system property with the type password or password2. Instance only decrypts password in memory and never saves a clear-text version.
Business rule runs when you add a new value or update an existing one
Script editor color coding
- Green - Comments
- Purple - Javascript commands
- Blue - strings, reserved words
Default Script Macros
- macro name followed by tab
- For (for loop)
- Doc (multiline comment)
- Help (list of macros and their shortcuts)
Creating a script macro
System Definition > Syntax Editor Macros
What is a client script
- Execute in browser
- manage forms and fields in real-time
Baseline Client Scripts
- ~330
- not all are active
- samples included as starting points