Share via

The Windows Team are telling me I need a Server Admin or Domain Admin service account to trigger Workflows from ServiceNow via the REST/API. Is this true?

Doug Connell 21 Reputation points
2021-07-15T23:41:50.743+00:00

I don't know SCORCH.

I am discussing push versus pull with the Windows Team in terms of triggering SCORCH Workflows from ServiceNow (SN). I am an SN Solution Designer. The SCORCH Team want to poll the SN Incident Table every 3 minutes in order to implement Incident Automation (a.k.a. Recovery Actions).

I am telling them, its a better architecture to push to SCORCH via the SCORCH REST/API. Its faster (no delay) and marginally less of a performance impact.

They tell me that push is a non-started because the runbooks require Server Admin or Domain Admin in order to do their work so the credential would need to be stored in ServiceNow. It is true that credentials in SN are currently not secure - so we can only safely use low level credentials. So they want to use pull - and poll the incident table every 3 minutes.

But I just can't believe that with a product as flexible as SCORCH, it is not somehow possible to split the security requirements somehow: Maybe:

a) Create a generic SCORCH Workflow requiring low level privileges that I could call from SN via the REST API that would act as a Message Queue. I would post in a value for a key field which would indicate which Workflow I wanted to execute.

b) This Message Queue would then trigger the appropriate Workflow in SCORCH with Higher level permissions based on the key field in the Message Queue.

They are telling me no, no, no.. can't be done. I am thinking they just don't want to do it. Not that it can't be done. There must be a way - even if its not the way I outlined above.

Has anyone done this type of thing before? If so How? Are the Windows team fibbing? or telling me the truth?

System Center Orchestrator
System Center Orchestrator
A family of System Center products that provide an automation platform for orchestrating and integrating both Microsoft and non-Microsoft IT tools.
216 questions
0 comments
Accepted answer
  1. Andreas Baumgarten 98,621 Reputation points MVP
    2021-07-16T14:42:18.243+00:00

    Hi @Doug Connell ,

    in general:

    SCORCH has an option to define which user is allowed to trigger Runbooks
    Depending on the Activities in the Runbook it's possible to define users which are used to perform the activity.

    Means:
    "Paul" is allowed to execute the Runbook "TestRB.
    The "Create AD User Activity" in the Runbook "TestRB" is executed in the user context of "Admin01"
    This way "Paul" doesn't need admin permissions in AD.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Doug Connell 21 Reputation points
    2021-07-18T23:41:26.15+00:00

    Thanks for your help. Much obliged.

    0 comments