Home

    Own Connect App Installation

    Monday, October 16, 2023In: Restore Print
    New Customers
    An Own account is required before installing and configuring Own Connect. Schedule a demo to speak to an Own representative. Our team will reach out with more information.

    Remove the Pilot components if necessary:

    1. Set the following Pilot components to "active = false":
      1. The Scripted REST API [sys_ws_definition] "OwnBackup Extract API". 
      2. The Scripted REST Resources [sys_ws_operation] "Extract Table Data". 
      3. The Scripted REST Resources [sys_ws_operation] "Information". 
    2. Or delete the Scripted REST [sys_ws_definition] "OwnBackup Extract API".
      1. This deletes the associated API endpoints and filter parameters.

    App Installation:

    1. Click “Request App” on the ServiceNow Store listing:

    2. The request is routed to Own’s ServiceNow Store account for approval.

    3. Once approved, install the app in the ServiceNow instance by:

      1. Navigate to All > System Applications > All Available Applications > All.

      2. Find the application using the filter criteria and search bar.

      3. Select a version from the list and select Install.

    App Configuration:

    If the Backup Service is configured with:

    • Basic Auth: Assign the app's admin role x_owba_connect.x_owba_extract.admin to the Own user (in addition to admin).
    • OAuth: Assign the app’s admin role x_owba_connect.x_owba_extract.admin to the Own user (in addition to admin) who will allow the Oauth connection in Step 6 here.

    Own Connect is a custom application which requires Cross Scope Privilege [sys_scope_privilege] and Restricted Caller Access [sys_restricted_caller_access] records to read data from other application scopes. Due to security concerns, ServiceNow does not allow us to bundle these records in our application. They want ServiceNow admins to acknowledge these records are required by creating them manually, via script, or importing them via XML.

    For Own Connect, we need Cross Scope Privilege records created for all out of box applications/tables and Restricted Caller Access records created for applications that require more security like HRSD (depends on which applications the customer has installed). Certain application scopes need these additional permissions because they can contain sensitive data.

    1. To start, in the ServiceNow instance, switch to the Own Connect scope. The following link contains an XML of cross scope privileges you need to import for all the out of box applications/tables:

    2. Once the Cross Scope Privilege records are created in ServiceNow, navigate to the Own Platform. In the Service Options, set the API Version to “Own Connect”.

    3. Run an on-demand backup or let the next scheduled backup run.

    4. There may be additional applications installed aside from the out of box applications. These applications require additional Cross Scope Privileges or Restricted Caller Access records. Users may encounter 500 errors for every table within those applications in the Own UI.

    Resolving 500 errors:

    1. Copy the list of tables with 500 errors into a text editor, such as Sublime Text. Format the tables so each table has its own line:
    2. In ServiceNow, navigate to the Cross Scope Privileges table [sys_scope_privilege]. We will check if these tables have Cross Scope Privilege records. Create the following filter:

    3. The filter returns 0 results or some results.

      1. If there are Cross Scope Privilege records already created, additional Restricted Caller Access [sys_restricted_caller_access] records must be created (Step 8).

    4. To create the missing Cross Scope Privileges, format the list generated in Step 1 like so:

      1. Using a text editor:

        1. Move the cursor to the beginning of each row.

        2. Add a quotation mark (").

        3. Move the cursor to the end of each row.

        4. Add a quotation mark and comma (",).

    NOTE: Remove the “and” and “.” from the last table in the list
    1. Then add the list to the following script:
    //Script to get Table Names and Application Scope sys_id

var tables_arr = [
"alm_transfer_order_line_subtask",
"alm_transfer_order_line_task",
"...",
];

for (var i = 0; i < tables_arr.length; i++) {
    var grGetTableInfo = new GlideRecord('sys_db_object');
    grGetTableInfo.addQuery('name', tables_arr[i]);
    grGetTableInfo.query();
    if(grGetTableInfo.next()){
        gs.print('\n' + grGetTableInfo.getValue('name') + ':' + grGetTableInfo.getValue('sys_scope') + '\n');
    } else {
        gs.print('error');
    }
}
    1. Run this script as a Background Script. This returns an execution history which needs to be downloaded.
    2. From that result, remove the lines containing “*** Script:” and format the list of tables names to match the following:
    3. Then add the list to the following script:
    //script to create cross scope privilege records given a table name and application scope

var records = [
  "aw_record_type_selector:06e4ef0d87130300ada4046787cb0b08",
  "sn_publications_workflow_config:0fdd6483d72302004f1e82285e61033a", 
  "...",
  // Target Table Name and Target Scope sys_id separated by a Colon (:)
];

var totalCreated = 0;

for (var i = 0; i < records.length; i++) {
  var entry = records[i].split(":");
  totalCreated++;
  var grCreateRecord = new GlideRecord("sys_scope_privilege");
  grCreateRecord.initialize();
  grCreateRecord.operation = "read";
  grCreateRecord.sys_scope = "c561b5ff876361907dcf84c7dabb35b0"; //OwnBackup Connect
  grCreateRecord.status = "allowed";
  grCreateRecord.source_scope = "c561b5ff876361907dcf84c7dabb35b0"; //OwnBackup Connect
  grCreateRecord.target_type = "sys_db_object";
  grCreateRecord.target_name = entry[0]; // Target Table Name from array
  grCreateRecord.target_scope = entry[1]; // Target Scope sys_id from array
  var newRecordSysID = grCreateRecord.insert();

  if (newRecordSysID) {
    gs.info("New privilege record created with sys_id: " + newRecordSysID);
  } else {
    gs.error("Failed to create the new privilege record.");
  }
}

gs.info("totalCreated " + totalCreated);

    1. Run this script as a Background Script.

    2. Revisit the Cross Scope Privileges table [sys_scope_privilege] with the filter described in Step 2. The missing records are now created.

    3. Run an on-demand backup or let the next scheduled backup run.

    4. Any remaining tables with 500 errors need additional Restricted Caller Access [sys_restricted_caller_access] records created. Unfortunately, these must be created manually and can’t be automated at this time. For example, the following tables need Restricted Caller Access records.

      1. Copy the list of tables from the Own UI.

      2. In ServiceNow, navigate to [sys_db_object] and create the following filter:

        Remove the “and” between the last table at the bottom of the list.

      3. The results will show you all the application scopes that require Restricted Caller Access Records. Group by Application and take a note of these.

      4. In a new ServiceNow tab, navigate to System Applications > Application Restricted Caller Access [sys_restricted_caller_access].

        Set the application picker to the first application scope you plan to create. For example, the first application in the image above needs to create the Restricted Caller Access in the Templated Snippets application scope:

      5. Click “New” and set the following:

      6. Repeat Steps D & E for each application from Step C.

      7. Run an on-demand backup for the tables with 500 errors or let the next scheduled backup run.

      8. The tables backup without any errors.

    « Previous ArticleNext Article »


    Contact Us

    Sometimes you just want to talk to someone. Our customer support team is available by phone:

    Request a Technical Support Call Back
    Submit a Ticket