Skip to main content

ServiceNow Integration

The ServiceNow integration (Admin > Settings > ServiceNow) enables bi-directional synchronization between Canopy and your ServiceNow CMDB. This guide covers everything from initial setup to advanced recipes and operational best practices.

ServiceNow Integration Settings

Why Integrate ServiceNow with Canopy?

ServiceNow CMDB and Enterprise Architecture tools serve different but complementary purposes:

ServiceNow CMDBCanopy
FocusIT operations — what's running, who owns it, what incidents occurredStrategic planning — what should the landscape look like in 3 years?
Maintained byIT Operations, Asset ManagementEA Team, Business Architects
StrengthAutomated discovery, ITSM workflows, operational accuracyBusiness context, capability mapping, lifecycle planning, assessments
Typical dataHostnames, IPs, install status, assignment groups, contractsBusiness criticality, functional fit, technical debt, strategic roadmap

Canopy is the system of record for your architecture landscape — names, descriptions, lifecycle plans, assessments, and business context all live here. ServiceNow supplements Canopy with operational and technical metadata (hostnames, IPs, SLA data, install status) that comes from automated discovery and ITSM workflows. The integration keeps these two systems connected while respecting that Canopy leads.

What You Can Do

  • Pull sync — Seed Canopy with CIs from ServiceNow, then take ownership. Ongoing pulls only update operational fields (IPs, status, SLAs) that SNOW discovers automatically
  • Push sync — Export EA-curated data back to ServiceNow (names, descriptions, assessments, lifecycle plans) so ITSM teams see EA context
  • Bidirectional sync — Canopy leads most fields; SNOW leads a small set of operational/technical fields. Both systems stay in sync
  • Identity mapping — Persistent cross-reference tracking (sys_id <-> card UUID) ensures records stay linked across syncs

Integration Architecture

+------------------+ HTTPS / Table API +------------------+
| Canopy | <--------------------------------> | ServiceNow |
| | | |
| Cards | Pull: SNOW CIs -> Turbo Cards | CMDB CIs |
| (Application, | Push: Turbo Cards -> SNOW CIs | (cmdb_ci_appl, |
| ITComponent, | | cmdb_ci_server, |
| Provider, ...) | Identity Map tracks sys_id &lt;-> UUID | core_company) |
+------------------+ +------------------+

The integration uses ServiceNow's Table API over HTTPS. Credentials are encrypted at rest using Fernet (AES-128-CBC) derived from your SECRET_KEY. All sync operations are logged as events with source: "servicenow_sync" for a complete audit trail.


Planning Your Integration

Before configuring anything, answer these questions:

1. Which card types need data from ServiceNow?

Start small. The most common integration points are:

PriorityCanopy TypeServiceNow SourceWhy
HighApplicationcmdb_ci_business_appApplications are the core of EA — CMDB has authoritative names, owners, and status
HighITComponent (Software)cmdb_ci_spkgSoftware products feed into EOL tracking and tech radar
MediumITComponent (Hardware)cmdb_ci_serverServer landscape for infrastructure mapping
MediumProvidercore_companyVendor registry for cost and relationship management
LowerInterfacecmdb_ci_endpointIntegration endpoints (often maintained manually in EA)
LowerDataObjectcmdb_ci_databaseDatabase instances

2. Which system is the source of truth for each field?

This is the most important decision. The default should be Canopy leads — the EA tool is the system of record for your architecture landscape. ServiceNow should only lead for a narrow set of operational and technical fields that come from automated discovery or ITSM workflows. Everything else — names, descriptions, assessments, lifecycle planning, costs — is owned and curated by the EA team in Canopy.

Recommended model — "Canopy leads, SNOW supplements":

Field TypeSource of TruthWhy
Names and descriptionsTurbo leadsEA team curates authoritative names and writes strategic descriptions; CMDB names can be messy or auto-generated
Business criticalityTurbo leadsEA team's strategic assessment — not operational data
Functional / technical fitTurbo leadsTIME model scores are an EA concern
Lifecycle (all phases)Turbo leadsPlan, phaseIn, active, phaseOut, endOfLife — all EA planning data
Cost dataTurbo leadsEA tracks total cost of ownership; CMDB may have contract line items but EA owns the consolidated view
Hosting type, categoryTurbo leadsEA classifies applications by hosting model for strategic analysis
Technical metadataSNOW leadsIPs, OS versions, hostnames, serial numbers — automated discovery data that EA doesn't maintain
SLA / operational statusSNOW leadsInstall status, SLA targets, availability metrics — ITSM operational data
Assignment group / supportSNOW leadsOperational ownership tracked in ServiceNow workflows
Discovery datesSNOW leadsFirst/last discovered, last scan — CMDB automation metadata

3. How often should you sync?

ScenarioFrequencyNotes
Initial importOnceAdditive mode, review carefully
Active landscape managementDailyAutomated via cron during off-hours
Compliance reportingWeeklyBefore generating reports
Ad-hocAs neededBefore major EA reviews or presentations

Step 1: ServiceNow Prerequisites

Create a Service Account

In ServiceNow, create a dedicated service account (never use personal accounts):

RolePurposeRequired?
itilRead access to CMDB tablesYes
cmdb_readRead Configuration ItemsYes
rest_api_explorerHelpful for testing queriesRecommended
import_adminWrite access to target tablesOnly for push sync

Best practice: Create a custom role with read-only access to only the specific tables you plan to sync. The itil role is broad — a custom scoped role limits blast radius.

Network Requirements

  • Canopy backend must reach your SNOW instance over HTTPS (port 443)
  • Configure firewall rules and IP allowlists
  • Instance URL format: https://company.service-now.com or https://company.servicenowservices.com

Choose Authentication Method

MethodProsConsRecommendation
Basic AuthSimple setupCredentials sent every requestDevelopment/testing only
OAuth 2.0Token-based, scoped, audit-friendlyMore setup stepsRecommended for production

For OAuth 2.0:

  1. In ServiceNow: System OAuth > Application Registry
  2. Create a new OAuth API endpoint for external clients
  3. Note the Client ID and Client Secret
  4. Rotate secrets on a 90-day cycle

Step 2: Create a Connection

Navigate to Admin > ServiceNow > Connections tab.

Create and Test

  1. Click Add Connection
  2. Fill in:
FieldExample ValueNotes
NameProduction CMDBDescriptive label for your team
Instance URLhttps://company.service-now.comMust use HTTPS
Auth TypeBasic Auth or OAuth 2.0OAuth recommended for production
Credentials(per auth type)Encrypted at rest via Fernet
  1. Click Create, then click the test icon (wifi symbol) to verify connectivity
  • Green "Connected" chip — Ready to go
  • Red "Failed" chip — Check credentials, network, and URL

Multiple Connections

You can create multiple connections for:

  • Production vs development instances
  • Regional SNOW instances (e.g., EMEA, APAC)
  • Different teams with separate service accounts

Each mapping references a specific connection.


Step 3: Design Your Mappings

Switch to the Mappings tab. A mapping connects one Canopy card type to one ServiceNow table.

Create a Mapping

Click Add Mapping and configure:

FieldDescriptionExample
ConnectionWhich ServiceNow instance to useProduction CMDB
Card TypeThe Canopy card type to syncApplication
SNOW TableThe ServiceNow table API namecmdb_ci_business_app
Sync DirectionWhich operations are available (see below)ServiceNow -> Canopy
Sync ModeHow to handle deletionsConservative
Max Deletion RatioSafety threshold for bulk deletes50%
Filter QueryServiceNow encoded query to limit scopeactive=true^install_status=1
Skip StagingApply changes directly without reviewOff (recommended for initial sync)

Common SNOW Table Mappings

Canopy TypeServiceNow TableDescription
Applicationcmdb_ci_business_appBusiness applications (most common)
Applicationcmdb_ci_applGeneral application CIs
ITComponent (Software)cmdb_ci_spkgSoftware packages
ITComponent (Hardware)cmdb_ci_serverPhysical/virtual servers
ITComponent (SaaS)cmdb_ci_cloud_service_accountCloud service accounts
Providercore_companyVendors / companies
Interfacecmdb_ci_endpointIntegration endpoints
DataObjectcmdb_ci_databaseDatabase instances
Systemcmdb_ci_computerComputer CIs
Organizationcmn_departmentDepartments

Filter Query Examples

Always filter to avoid importing stale or retired records:

# Only active CIs (minimum recommended filter)
active=true

# Active CIs with install status "Installed"
active=true^install_status=1

# Applications in production use
active=true^used_for=Production

# CIs updated in the last 30 days
active=true^sys_updated_on>=javascript:gs.daysAgoStart(30)

# Specific assignment group
active=true^assignment_group.name=IT Operations

# Exclude retired CIs
active=true^install_statusNOT IN7,8

Best practice: Always include active=true at minimum. CMDB tables often contain thousands of retired or decommissioned records that should not be imported into your EA landscape.


Step 4: Configure Field Mappings

Each mapping contains field mappings that define how individual fields translate between the two systems. The Canopy Field input provides autocomplete suggestions based on the selected card type — including core fields, lifecycle dates, and all custom attributes from the type's schema.

Adding Fields

For each field mapping, you configure:

SettingDescription
Canopy FieldField path in Canopy (autocomplete suggests options based on card type)
SNOW FieldServiceNow column API name (e.g., name, short_description)
DirectionPer-field source of truth: SNOW leads or Turbo leads
TransformHow to convert values: Direct, Value Map, Date, Boolean
Identity (ID checkbox)Used for matching records during initial sync

Canopy Field Paths

The autocomplete groups fields by section. Here's the full path reference:

PathTargetExample Value
nameCard display name"SAP S/4HANA"
descriptionCard description"Core ERP system for financials"
lifecycle.planLifecycle: Plan date"2024-01-15"
lifecycle.phaseInLifecycle: Phase In date"2024-03-01"
lifecycle.activeLifecycle: Active date"2024-06-01"
lifecycle.phaseOutLifecycle: Phase Out date"2028-12-31"
lifecycle.endOfLifeLifecycle: End of Life date"2029-06-30"
attributes.<key>Any custom attribute from the card type's fields schemaVaries by field type

For example, if your Application type has a field with key businessCriticality, select attributes.businessCriticality from the dropdown.

Identity Fields — How Matching Works

Mark one or more fields as Identity (key icon). These are used during the first sync to match ServiceNow records to existing Canopy cards:

  1. Identity map lookup — If a sys_id <-> card UUID link already exists, use it
  2. Exact name match — Match on the identity field value (e.g., matching by application name)
  3. Fuzzy match — If no exact match, use SequenceMatcher with 85% similarity threshold

Best practice: Always mark the name field as an identity field. If names differ between systems (e.g., SNOW includes version numbers like "SAP S/4HANA v2.1" but Canopy has "SAP S/4HANA"), clean them up before the first sync for better match quality.

After the first sync establishes identity map links, subsequent syncs use the persistent identity map and don't rely on name matching.


Step 5: Run Your First Sync

Switch to the Sync Dashboard tab.

Triggering a Sync

For each active mapping, you see Pull and/or Push buttons depending on the configured sync direction:

  • Pull (cloud download icon) — Fetches data from SNOW into Canopy
  • Push (cloud upload icon) — Sends Canopy data to ServiceNow

What Happens During a Pull Sync

1. FETCH Retrieve all matching records from SNOW (batches of 500)
2. MATCH Match each record to an existing card:
a) Identity map (persistent sys_id &lt;-> card UUID lookup)
b) Exact name match on identity fields
c) Fuzzy name match (85% similarity threshold)
3. TRANSFORM Apply field mappings to convert SNOW -> Canopy format
4. DIFF Compare transformed data against existing card fields
5. STAGE Assign an action to each record:
- create: New, no matching card found
- update: Match found, fields differ
- skip: Match found, no differences
- delete: In identity map but absent from SNOW
6. APPLY Execute staged actions (create/update/archive cards)

When Skip Staging is enabled, steps 5 and 6 merge — actions are applied directly without writing staged records.

Reviewing Sync Results

The Sync History table shows after each run:

ColumnDescription
StartedWhen the sync began
DirectionPull or Push
Statuscompleted, failed, or running
FetchedTotal records retrieved from ServiceNow
CreatedNew cards created in Canopy
UpdatedExisting cards updated
DeletedCards archived (soft-deleted)
ErrorsRecords that failed to process
DurationWall-clock time

Click the list icon on any run to inspect individual staged records, including the field-level diff for each update.

1. Set mapping to ADDITIVE mode with staging ON
2. Run pull sync
3. Review staged records — check creates look correct
4. Go to Inventory, verify imported cards
5. Adjust field mappings or filter query if needed
6. Run again until satisfied
7. Switch to CONSERVATIVE mode for ongoing use
8. After several successful runs, enable Skip Staging

Understanding Sync Direction vs Field Direction

This is the most commonly misunderstood concept. There are two levels of direction that work together:

Table-Level: Sync Direction

Set on the mapping itself. Controls which sync operations are available on the Sync Dashboard:

Sync DirectionPull button?Push button?Use when...
ServiceNow -> CanopyYesNoCMDB is the master source, you just import
Canopy -> ServiceNowNoYesEA tool enriches CMDB with assessments
BidirectionalYesYesBoth systems contribute different fields

Field-Level: Direction

Set per field mapping. Controls which system's value wins during a sync run:

Field DirectionDuring Pull (SNOW -> Turbo)During Push (Turbo -> SNOW)
SNOW leadsValue is imported from ServiceNowValue is skipped (not pushed)
Turbo leadsValue is skipped (not overwritten)Value is exported to ServiceNow

How They Work Together — Example

Mapping: Application <-> cmdb_ci_business_app, Bidirectional

FieldDirectionPull does...Push does...
nameTurbo leadsSkips (EA curates names)Pushes EA name -> SNOW
descriptionTurbo leadsSkips (EA writes descriptions)Pushes description -> SNOW
lifecycle.activeTurbo leadsSkips (EA manages lifecycle)Pushes go-live date -> SNOW
attributes.businessCriticalityTurbo leadsSkips (EA assessment)Pushes assessment -> SNOW custom field
attributes.ipAddressSNOW leadsImports IP from discoverySkips (operational data)
attributes.installStatusSNOW leadsImports operational statusSkips (ITSM data)

Key insight: The table-level direction determines what buttons appear. The field-level direction determines which fields actually transfer during each operation. A bidirectional mapping where Canopy leads most fields and SNOW only leads operational/technical fields is the most powerful configuration.

Best Practice: Field Direction by Data Type

The default should be Turbo leads for the vast majority of fields. Only set SNOW leads for operational and technical metadata that comes from automated discovery or ITSM workflows.

Data CategoryRecommended DirectionRationale
Names, display labelsTurbo leadsEA team curates authoritative, clean names — CMDB names are often auto-generated or inconsistent
DescriptionTurbo leadsEA descriptions capture strategic context, business value, and architectural significance
Business criticality (TIME model)Turbo leadsCore EA assessment — not operational data
Functional/technical suitabilityTurbo leadsEA-specific scoring and roadmap classification
Lifecycle (all phases)Turbo leadsPlan, phaseIn, active, phaseOut, endOfLife are all EA planning decisions
Cost dataTurbo leadsEA tracks total cost of ownership and budget allocation
Hosting type, classificationTurbo leadsStrategic categorization maintained by architects
Vendor/provider infoTurbo leadsEA manages vendor strategy, contracts, and risk — SNOW may have a vendor name but EA owns the relationship
Technical metadata (OS, IP, hostname)SNOW leadsAutomated discovery data — EA doesn't maintain this
SLA targets, availability metricsSNOW leadsOperational data from ITSM workflows
Install status, operational stateSNOW leadsCMDB tracks whether a CI is installed, retired, etc.
Assignment group, support teamSNOW leadsOperational ownership managed in ServiceNow
Discovery metadata (first/last seen)SNOW leadsCMDB automation timestamps

Skip Staging — When to Use It

By default, pull syncs follow a stage-then-apply workflow:

Fetch -> Match -> Transform -> Diff -> STAGE -> Review -> APPLY

Records are written to a staging table, allowing you to review what will change before applying. This is visible in the Sync Dashboard under "View staged records."

Skip Staging Mode

When you enable Skip Staging on a mapping, records are applied directly:

Fetch -> Match -> Transform -> Diff -> APPLY DIRECTLY

No staged records are created — changes happen immediately.

Staging (default)Skip Staging
Review stepYes — inspect diffs before applyingNo — changes apply immediately
Staged records tablePopulated with create/update/delete entriesNot populated
Audit trailStaged records + event historyEvent history only
PerformanceSlightly slower (writes staging rows)Slightly faster
UndoCan abort before applyingMust manually revert

When to Use Each

ScenarioRecommendation
First-time importUse staging — Review what gets created before applying
New or changed mappingUse staging — Verify field transforms produce correct output
Stable, well-tested mappingSkip staging — No need to review every run
Automated daily syncs (cron)Skip staging — Unattended runs can't wait for review
Large CMDB (10,000+ CIs)Skip staging — Avoids creating thousands of staging rows
Compliance-sensitive environmentUse staging — Maintain full audit trail in staging table

Best practice: Start with staging enabled for your first several syncs. Once you're confident the mapping produces correct results, enable skip staging for automated runs.


Sync Modes and Deletion Safety

Sync Modes

ModeCreatesUpdatesDeletesBest For
AdditiveYesYesNeverInitial imports, low-risk environments
ConservativeYesYesOnly cards created by syncDefault for ongoing syncs
StrictYesYesAll linked cardsFull mirror of CMDB

Additive never removes cards from Canopy, making it the safest option for first-time imports and environments where Canopy contains cards not present in ServiceNow (manually created cards, cards from other sources).

Conservative (default) tracks whether each card was originally created by the sync engine. Only those cards can be auto-archived if they disappear from ServiceNow. Cards created manually in Canopy or imported from other sources are never touched.

Strict archives any linked card whose corresponding ServiceNow CI no longer appears in the query results, regardless of who created it. Use this only when ServiceNow is the absolute source of truth and you want Canopy to mirror it exactly.

Max Deletion Ratio — Safety Net

As a safety net, the engine skips all deletions if the count exceeds the configured ratio:

deletions / total_linked > max_deletion_ratio -> SKIP ALL DELETIONS

Example with 10 linked records and 50% threshold:

ScenarioDeletionsRatioResult
3 CIs removed normally3 / 10 = 30%Under thresholdDeletions proceed
6 CIs removed at once6 / 10 = 60%Over thresholdAll deletions skipped
SNOW returns empty (outage)10 / 10 = 100%Over thresholdAll deletions skipped

This prevents catastrophic data loss from filter query changes, temporary ServiceNow outages, or misconfigured table names.

Best practice: Keep the deletion ratio at 50% or lower for tables with fewer than 100 records. For large tables (1,000+), you can safely set it to 25%.

Week 1: ADDITIVE mode, staging ON, run manually, review every record
Week 2-4: CONSERVATIVE mode, staging ON, run daily, spot-check results
Month 2+: CONSERVATIVE mode, staging OFF (skip), automated daily cron

Recipe 1: Applications from CMDB (Most Common)

Goal: Import the application landscape from ServiceNow, then take ownership of names, descriptions, assessments, and lifecycle in Canopy. SNOW only leads operational fields.

Mapping:

SettingValue
Card TypeApplication
SNOW Tablecmdb_ci_business_app
DirectionBidirectional
ModeConservative
Filteractive=true^install_status=1

Field mappings:

Canopy FieldSNOW FieldDirectionTransformID?
namenameTurbo leadsDirectYes
descriptionshort_descriptionTurbo leadsDirect
lifecycle.activego_live_dateTurbo leadsDate
lifecycle.endOfLiferetirement_dateTurbo leadsDate
attributes.businessCriticalitybusines_criticalityTurbo leadsValue Map
attributes.hostingTypehosting_typeTurbo leadsDirect
attributes.installStatusinstall_statusSNOW leadsDirect
attributes.ipAddressip_addressSNOW leadsDirect

Value map config for businessCriticality:

{
"mapping": {
"1 - most critical": "missionCritical",
"2 - somewhat critical": "businessCritical",
"3 - less critical": "businessOperational",
"4 - not critical": "administrativeService"
}
}

First sync tip: On the very first pull, SNOW values populate all fields (since cards don't exist yet). After that, Turbo leads fields are owned by the EA team — subsequent pulls only update the operational SNOW-leads fields (install status, IP), while the EA team manages everything else directly in Canopy.

After import: Refine application names, write strategic descriptions, map to Business Capabilities, add functional/technical suitability assessments, and set lifecycle phases — all of this is now owned by Canopy and will be pushed back to ServiceNow on push syncs.


Recipe 2: IT Components (Servers)

Goal: Import server infrastructure for infrastructure mapping and dependency analysis. Servers are more operational than applications, so more fields come from SNOW — but Canopy still leads names and descriptions.

Mapping:

SettingValue
Card TypeITComponent
SNOW Tablecmdb_ci_server
DirectionBidirectional
ModeConservative
Filteractive=true^hardware_statusNOT IN6,7

Field mappings:

Canopy FieldSNOW FieldDirectionTransformID?
namenameTurbo leadsDirectYes
descriptionshort_descriptionTurbo leadsDirect
attributes.manufacturermanufacturer.nameTurbo leadsDirect
attributes.operatingSystemosSNOW leadsDirect
attributes.ipAddressip_addressSNOW leadsDirect
attributes.serialNumberserial_numberSNOW leadsDirect
attributes.hostnamehost_nameSNOW leadsDirect

Note: For servers, operational/discovery fields like OS, IP, serial number, and hostname naturally come from SNOW's automated discovery. But the EA team still owns the display name (which may differ from the hostname) and description for strategic context.

After import: Link IT Components to Applications using relations, which feeds the dependency graph and infrastructure reports.


Recipe 3: Software Products with EOL Tracking

Goal: Import software products and combine with Canopy's endoflife.date integration. Canopy leads on names, descriptions, and vendor — version is a factual field that SNOW can lead on.

Mapping:

SettingValue
Card TypeITComponent
SNOW Tablecmdb_ci_spkg
DirectionBidirectional
ModeConservative
Filteractive=true

Field mappings:

Canopy FieldSNOW FieldDirectionTransformID?
namenameTurbo leadsDirectYes
descriptionshort_descriptionTurbo leadsDirect
attributes.versionversionSNOW leadsDirect
attributes.vendormanufacturer.nameTurbo leadsDirect

After import: Go to Admin > EOL and use Mass Search to automatically match imported IT Components against endoflife.date products. This gives you automated EOL risk tracking that combines CMDB inventory with public lifecycle data.


Recipe 4: Vendors / Providers (Bidirectional)

Goal: Keep the vendor registry in sync. Canopy owns vendor names, descriptions, and strategic context. SNOW supplements with operational contact data.

Mapping:

SettingValue
Card TypeProvider
SNOW Tablecore_company
DirectionBidirectional
ModeAdditive
Filtervendor=true

Field mappings:

Canopy FieldSNOW FieldDirectionTransformID?
namenameTurbo leadsDirectYes
descriptionnotesTurbo leadsDirect
attributes.websitewebsiteTurbo leadsDirect
attributes.contactEmailemailSNOW leadsDirect

Why Turbo leads for most fields: The EA team curates vendor strategy, manages relationships, and tracks risk — this includes the vendor's display name, description, and web presence. SNOW leads only on operational contact data that may be updated by procurement or asset management teams.


Recipe 5: Push EA Assessments Back to ServiceNow

Goal: Export EA-specific assessments to ServiceNow custom fields so ITSM teams can see EA context.

Mapping:

SettingValue
Card TypeApplication
SNOW Tablecmdb_ci_business_app
DirectionCanopy -> ServiceNow
ModeAdditive

Field mappings:

Canopy FieldSNOW FieldDirectionTransformID?
namenameSNOW leadsDirectYes
attributes.businessCriticalityu_ea_business_criticalityTurbo leadsValue Map
attributes.functionalSuitabilityu_ea_functional_fitTurbo leadsValue Map
attributes.technicalSuitabilityu_ea_technical_fitTurbo leadsValue Map

Important: Push sync to custom fields (prefixed with u_) requires those columns to already exist in ServiceNow. Work with your ServiceNow admin to create them before configuring the push mapping. The service account needs import_admin role for write access.

Why this matters: ITSM teams see EA assessments directly in ServiceNow incident/change workflows. When a "Mission Critical" application has an incident, priority escalation rules can use the EA-provided criticality score.


Transform Types Reference

Direct (default)

Pass the value through unchanged. Use for text fields that have the same format in both systems.

Value Map

Translates enumerated values between systems. Configure with a JSON mapping:

{
"mapping": {
"1": "missionCritical",
"2": "businessCritical",
"3": "businessOperational",
"4": "administrativeService"
}
}

The mapping reverses automatically when pushing from Canopy to ServiceNow. For example, during push, "missionCritical" becomes "1".

Date Format

Truncates ServiceNow datetime values (2024-06-15 14:30:00) to date-only (2024-06-15). Use for lifecycle phase dates where time is irrelevant.

Boolean

Converts between ServiceNow string booleans ("true", "1", "yes") and native booleans. Useful for fields like "is_virtual", "active", etc.


Security Best Practices

Credential Management

PracticeDetails
Encryption at restAll credentials encrypted via Fernet (AES-128-CBC) derived from SECRET_KEY. If you rotate SECRET_KEY, re-enter all ServiceNow credentials.
Least privilegeCreate a dedicated SNOW service account with read-only access to specific tables. Only grant write access if using push sync.
OAuth 2.0 preferredBasic Auth sends credentials on every API call. OAuth uses short-lived tokens with scope restrictions.
Credential rotationRotate passwords or client secrets every 90 days.

Network Security

PracticeDetails
HTTPS enforcedHTTP URLs are rejected at validation time. All connections must use HTTPS.
Table name validationTable names validated against ^[a-zA-Z0-9_]+$ to prevent injection.
sys_id validationsys_id values validated as 32-character hex strings.
IP allowlistingConfigure ServiceNow IP Access Control to only allow your Canopy server's IP.

Access Control

PracticeDetails
RBAC gatedRead-only ServiceNow endpoints require the servicenow.view permission; all changes require servicenow.manage.
Audit trailAll sync-created changes publish events with source: "servicenow_sync", visible in card history.
No credential exposurePasswords and secrets are never returned in API responses.

Production Checklist

  • Dedicated ServiceNow service account (not a personal account)
  • OAuth 2.0 with client credentials grant
  • Credential rotation schedule (every 90 days)
  • Service account restricted to only mapped tables
  • ServiceNow IP allowlist configured for Canopy server IP
  • Max deletion ratio set to 50% or lower
  • Sync runs monitored for unusual error or deletion counts
  • Filter queries include active=true at minimum

Operational Runbook

Initial Setup Sequence

1. Create ServiceNow service account with minimum required roles
2. Verify network connectivity (can Canopy reach SNOW over HTTPS?)
3. Create connection in Canopy and test it
4. Verify metamodel types have all fields you want to sync
5. Create first mapping with ADDITIVE mode, staging ON
6. Use the Preview button (via API) to verify mapping produces correct output
7. Run first pull sync — review staged records in the Sync Dashboard
8. Apply staged records
9. Verify imported cards in the Inventory
10. Adjust field mappings if needed, re-run
11. Switch mapping to CONSERVATIVE mode for ongoing use
12. After several successful runs, enable Skip Staging for automation

Ongoing Operations

TaskFrequencyHow
Run pull syncDaily or weeklySync Dashboard > Pull button (or cron)
Review sync statsAfter each runCheck error/deletion counts
Test connectionsMonthlyClick test button on each connection
Rotate credentialsQuarterlyUpdate in both SNOW and Canopy
Review identity mapQuarterlyCheck orphaned entries via sync stats
Audit card historyAs neededFilter events by servicenow_sync source

Setting Up Automated Syncs

Syncs can be triggered via API for automation:

# Daily pull sync at 2:00 AM
0 2 * * * curl -s -X POST \
-H "Authorization: Bearer $TURBOEA_TOKEN" \
"https://turboea.company.com/api/v1/servicenow/sync/pull/$MAPPING_ID" \
>> /var/log/turboea-sync.log 2>&1

Best practice: Run syncs during off-peak hours. For large CMDB tables (10,000+ CIs), expect 2-5 minutes depending on network latency and record count.

Capacity Planning

CMDB SizeExpected DurationRecommendation
< 500 CIs< 30 secondsSync daily, staging optional
500-5,000 CIs30s - 2 minutesSync daily, skip staging
5,000-20,000 CIs2-5 minutesSync nightly, skip staging
20,000+ CIs5-15 minutesSync weekly, use filter queries to split

Troubleshooting

Connection Issues

SymptomCauseFix
Connection failed: [SSL]Self-signed or expired certEnsure SNOW uses a valid public CA certificate
HTTP 401: UnauthorizedWrong credentialsRe-enter username/password; check account is not locked
HTTP 403: ForbiddenInsufficient rolesGrant itil and cmdb_read to the service account
Connection failed: timed outFirewall blockCheck rules; allowlist Canopy's IP in SNOW
Test OK but sync failsTable-level permissionsGrant read access to the specific CMDB table

Sync Issues

SymptomCauseFix
0 records fetchedWrong table or filterVerify table name; simplify filter query
All records are "create"Identity mismatchMark name as identity; verify names match between systems
High error countTransform failuresCheck staged records for error messages
Deletions skippedRatio exceededIncrease threshold or investigate why CIs disappeared
Changes not visibleBrowser cacheHard-refresh; check card history for events
Duplicate cardsMultiple mappings for same typeUse one mapping per card type per connection
Push changes rejectedMissing SNOW permissionsGrant import_admin role to service account

Diagnostic Tools

# Preview how records will map (5 samples, no side effects)
POST /api/v1/servicenow/mappings/{mapping_id}/preview

# Browse tables on the SNOW instance
GET /api/v1/servicenow/connections/{conn_id}/tables?search=cmdb

# Inspect columns for a table
GET /api/v1/servicenow/connections/{conn_id}/tables/cmdb_ci_business_app/fields

# Filter staged records by action or status
GET /api/v1/servicenow/sync/runs/{run_id}/staged?action=create
GET /api/v1/servicenow/sync/runs/{run_id}/staged?action=update
GET /api/v1/servicenow/sync/runs/{run_id}/staged?status=error

API Reference (Quick)

All endpoints require Authorization: Bearer <token>. Read-only endpoints need the servicenow.view permission; mutating endpoints need servicenow.manage. Base path: /api/v1.

Connections

MethodPathDescription
GET/servicenow/connectionsList connections
POST/servicenow/connectionsCreate connection
GET/servicenow/connections/{id}Get connection
PATCH/servicenow/connections/{id}Update connection
DELETE/servicenow/connections/{id}Delete connection + all mappings
POST/servicenow/connections/{id}/testTest connectivity
GET/servicenow/connections/{id}/tablesBrowse SNOW tables
GET/servicenow/connections/{id}/tables/{table}/fieldsList table columns

Mappings

MethodPathDescription
GET/servicenow/mappingsList mappings with field mappings
POST/servicenow/mappingsCreate mapping with field mappings
GET/servicenow/mappings/{id}Get mapping with field mappings
PATCH/servicenow/mappings/{id}Update mapping (replaces fields if provided)
DELETE/servicenow/mappings/{id}Delete mapping
POST/servicenow/mappings/{id}/previewDry-run preview (5 sample records)

Sync Operations

MethodPathDescription
POST/servicenow/sync/pull/{mapping_id}Pull sync (?auto_apply=true default)
POST/servicenow/sync/push/{mapping_id}Push sync
GET/servicenow/sync/runsList sync history (?limit=20)
GET/servicenow/sync/runs/{id}Get run details + stats
GET/servicenow/sync/runs/{id}/stagedList staged records for a run
POST/servicenow/sync/runs/{id}/applyApply pending staged records