Configure ServiceNow for Databricks ingestion

Learn how to configure your ServiceNow instance for Databricks ingestion.

Choose an authentication method

The following authentication methods are supported:

• U2M OAuth (recommended)
• OAuth Resource Owner Password Credentials (ROPC – legacy)

Databricks recommends U2M OAuth because it's the more secure approach. However, your ServiceNow connection will expire when your auth token expires. By default, this happens every 100 days. To reduce the frequency, you can modify the expiration period in ServiceNow or use ROPC.

You'll use the authentication details you obtain to create a Databricks Unity Catalog connection to ServiceNow.

Grant user permissions

The following options for granting ServiceNow user permissions are supported:

OAuth scope	Description
Admin access (recommended)	Requires the admin and snc_read_only roles.
Least-privilege access	Uses table-level ACLs.

Admin access (recommended)

Databricks recommends this approach because it provides efficient schema discovery. You must have the following permissions:

• To capture deletes, your ServiceNow user must have access to the sys_audit_delete table, and the table that's being ingested must be tracking deletes (the table attribute can't be set to no_audit_delete=true in ServiceNow).
• Your ServiceNow user must have the admin role.
• (Optional) To limit the admin user to read-only access, you can assign it the snc_read_only role.

Least-privilege access

Choose this approach only if restricting permissions is more important than minimizing API usage. This approach requires the following ACL permissions:

• sys_dictionary
• sys_dictionary.*
• sys_db_object
• sys_db_object.*
• sys_audit_delete
• sys_audit_delete.*
• sys_glide_object
• sys_glide_object.*

Create an OAuth application

This step gathers ServiceNow authentication details for Databricks ingestion.

important

ServiceNow requires multi-factor authentication (MFA) by default for U2M OAuth. When you sign in, provide your second authentication method as part of the standard MFA flow. This requirement does not apply to ROPC authentication.

A ServiceNow administrator can exempt authenticating users from the MFA requirement. For instructions, see User exemption in the ServiceNow documentation.

1. In the All menu, search for System OAuth, and then click Application Registry.

   

2. Click New > Create OAuth API endpoint for external clients.

   

3. Enter a name for the application.

4. For Auth Scope, enter useraccount.

5. (U2M OAuth only) For Redirect URL, enter https://<databricks-workspace-url>/login/oauth/servicenow.html. Replace <databricks-workspace-url> with your full Databricks workspace URL (for example, https://cust-success.cloud.databricks.com).

   note

   Skip this step if you're using ROPC.

6. Click Submit.

   

7. Copy the Client ID and the Client Secret.

Obtain the instance ID

The instance ID is the first part of the ServiceNow account login URL:

https://<instanceid>.service-now.com

For example, if the homepage of your ServiceNow instance is https://abc.service-now.com, the instance ID is abc.

(Legacy) Obtain a username and password

note

This step is only required for the legacy ROPC flow. Databricks recommends using U2M OAuth instead.

Obtain the username and password of an active ServiceNow user.

Enable indexing on the cursor column

To improve ingestion performance, Databricks recommends working with your ServiceNow administrator to enable indexing on the cursor field in ServiceNow. The cursor column is selected from the following list, in order of availability and preference: sys_updated_on (first choice), sys_created_on (second choice), sys_archived (third choice). This is a standard approach for improving performance when ingesting using the ServiceNow APIs. Setting the index allows Databricks to avoid fully scanning the entire cursor column, which can bottleneck large updates. For instructions, see Create a table index in the ServiceNow documentation.

Next step

Create an ingestion pipeline