ServiceNow

Overview

This integration syncs Knowledge Articles from your ServiceNow Knowledge Base into Leena AI's Knowledge Management module, enabling your virtual assistant to surface ServiceNow content in employee responses.

🚧

Advisory: ServiceNow is deprecating the OAuth "Resource Owner Password Credentials" (password) grant type

ServiceNow has formally deprecated the Resource Owner Password Credentials (ROPC) / "OAuth Password" grant type in favour of more secure flows such as Client Credentials, JWT Bearer, and Authorization Code with PKCE. ServiceNow's own platform security hardening guidance now includes a setting to Disable Resource Owner Password Credentials (ROPC) in OAuth 2 token grants, and instances that have enforced this hardening will reject the grant type with a disabled_grant_type: 'password' grant type is disabled error (see ServiceNow KB2907724).

Both authentication methods documented on this page — OAuth Token Based and OAuth Password Based — currently rely on the ROPC grant (either to generate the initial refresh token or for ongoing token exchange).

What this means for the Leena AI ↔ ServiceNow Knowledge connector

  • Existing connections will continue to work as long as your ServiceNow instance still permits the ROPC grant.
  • Once ServiceNow disables or enforces removal of ROPC on your instance, the current setup will stop issuing tokens and the KM sync will fail.
  • Leena AI is actively building support for the modern, ServiceNow-supported grant types. An updated setup guide will replace this page once the new authentication flow is generally available. Until then, please continue to use the existing OAuth Token Based setup described below.

What you can do now to prepare

  1. Confirm your current integration setup. In System OAuth → Application Registry, locate the application used for the Leena AI integration and verify the grant type is Resource Owner Password Credentials.
  2. Check the deprecation timeline for your instance. Review the ServiceNow release notes for your current release family (Washington DC and later) and confirm with your ServiceNow administrator whether ROPC enforcement is already scheduled for your instance.
  3. Retain the existing service account and its roles. The same integration service account is expected to be reusable with the new grant type. Please ensure it continues to hold the existing required roles — knowledge_admin, user_criteria_admin, snc_read_only, snc_internal, and rest_api_explorer — and that the account is not deactivated as part of any cleanup.
  4. Loop in your ServiceNow security/architecture team early. The replacement flow will use Client Credentials, both of which are non-interactive and align with modern security guidance. Surfacing this with your security team in advance will reduce approval lead time when the new OAuth application needs to be registered.
  5. Watch for Leena AI's migration communication. Your Leena AI CSM will share the migration steps, expected downtime (if any), and the cut-over window once the new flow ships. No changes are required on your ServiceNow instance until that communication goes out.

Granting ServiceNow Access Using OAuth

There are 2 approaches to connect the ServiceNow knowledge base with Leena KM via OAuth access.

  • OAuth Token Based (Recommended approach)
  • OAuth Password Based

1. OAuth Token Based (Recommended)

  1. Go to your ServiceNow developer instance and select “Application Registry” under “System OAuth”.

  2. Click on “New” application and select the following option: “New Inbound Integration Experience”.

  3. Select New Integrations

  4. Select OAuth-Resource Owner password credentials grant

    Important: Kindly make sure to keep the refresh token lifespan long enough so that the sync with Leena KM does not expire.

  5. Fill in the details about the new app. Select 'useraccount' under Auth scope.


Important: Kindly make sure to keep the refresh token lifespan long enough so that the sync with Leena KM does not expire.

  1. Please note the Client ID and Client Secret from this step.
  2. Use the following curl to make an API call to generate the refresh token which will be used in to establish connection with ServiceNow in Leena AI KM.

curl --location 'your_instance_url'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=your_client_id'
--data-urlencode 'client_secret=your_client_secret'
--data-urlencode 'grant_type=password'
--data-urlencode 'username=your_user_name'
--data-urlencode 'password=your_admin_password'

  1. Service Account Requirements & Permissions

In order to configure the required permission for the user Account go to User Administration---> Users--->select the name of your service account user.
For the configured users, make sure that the following Roles are set.

Required user roles

Ensure the integration user is assigned the following roles within the ServiceNow instance:

  • knowledge_admin Provides administrative access to the knowledge base.
  • user_admin
  • user_criteria_admin Permission to manage user criteria rules that control knowledge base access and visibility.
  • snc_read_only Provides read-only access to ServiceNow platform tables and records.
  • snc_internal Grants access to internal ServiceNow APIs and platform services.
  • rest_api_explorer Ability to discover and test REST API endpoints directly through the interface.

OAuth token scopes

The following scopes must be enabled on the OAuth token to permit API communication:

Data Access

  • Table API Read access to ServiceNow tables, specifically: kb_knowledge, kb_category, and kb_knowledge_base.
  • Attachment API Permission to read and retrieve attachments linked to specific knowledge articles.
  • Aggregate API Ability to run aggregate queries, such as retrieving record counts on knowledge tables.
  • Knowledge General access to knowledge-specific API endpoints and system resources.

2. OAuth Password Based

  1. Go to your ServiceNow developer instance and select “Application Registry” under “System OAuth”.

  2. Click on “New” application registration and select the following option: “Create an OAuth JWT API endpoint for external clients”.

  3. Enter the required details and click on “Submit”.

    Check the field “Accessible from” set it to “All application scopes”

  1. Please note the “Client Id” and “Client Secret” from this application.

  2. Service Account Requirements & Permissions

    User roles

    The following roles must be assigned to the service account user:

    • knowledge_admin Provides administrative access to the knowledge base.
    • user_criteria_admin Required to fetch user criteria rules for access control.
    • snc_read_only Effectively restricts the service account user to read-only access across the platform.
    • snc_internal Grants access to internal ServiceNow APIs. For more details, refer to the ServiceNow Documentation on Explicit Roles.
    • rest_api_explorer Provides the ability to discover and test REST API endpoints via the ServiceNow UI.

Leena AI Configuration

KM-ServiceNow Integration via OAuth Token (Recommended)

  1. Go to KM Dashboard >> Settings >> Integrations >> ServiceNow.

  2. Fill in the required details:

    • Client ID
    • Client Secret
    • Refresh Token
    • Instance URL
  3. Select the setting to move fetched articles to Directly Published state in KM or Draft state.

  4. (Optional) Select the option to fetch permissions for ServiceNow.

KM-ServiceNow Integration via OAuth Password

  1. Go to KM Dashboard >> Settings >> Integrations >> ServiceNow.
  2. Fill in the required details:
    • Username (Instance username): This is the user who created the application.
    • Password (Instance password)
    • Client ID
    • Client Secret
    • Instance URL
  3. Select the setting to move fetched articles to Directly Published state in KM or Draft state.
  4. (Optional) Select the option to fetch permissions for ServiceNow.

Syncing

Once the connection is successful, we can sync the Knowledge Articles from ServiceNow to KM. We will sync the list of all the knowledge bases; however, users can select specific knowledge bases to be synced with Leena KM.

Note that only articles in the Published state are synced, and only attribute-based article audiences are resolved — scripted (advanced) user criteria cannot be synced. See Sync scope & supported permissions (below) for full detail and the recommended workaround.

Sync scope & supported permissions

Which articles are synced
Only articles in the Published state in ServiceNow are synced to Leena KM. Articles in any other state — for example Expired, Draft, or Retired — are excluded, and will not appear in KM even if they belong to a selected knowledge base. To bring an excluded article in, republish it in ServiceNow; it is picked up on the next sync.

How article permissions (user criteria) are synced
When permission sync is enabled, the integration reads the Can Read user criteria on each ServiceNow article and mirrors the resulting audience onto the matching KM article. How that audience is resolved depends on the type of user criteria configured in ServiceNow:

  • Attribute-based user criteria — criteria that target a role, group, department, location, or similar attribute — are fully supported. Every user matching the attribute is resolved and granted read access to the article in KM.
  • Scripted (advanced) user criteria are not supported. These criteria determine their audience through a script that ServiceNow evaluates per user at the moment of access, so membership is dynamic and is never stored as a list. Because ServiceNow exposes no interface that returns the members of a scripted criteria, the audience cannot be read or synced. Where an article combines an attribute-based criteria with a scripted one, only the attribute-based audience is synced; the scripted portion is omitted.

Working with scripted (advanced) user criteria
The recommended way to bring a scripted audience into KM is to express each scripted criteria as a user group whose membership is kept current by a scheduled job in ServiceNow. Once the audience is a group, it is attribute-based from KM's perspective and syncs like any other group-based criteria — no changes are required on the Leena side.

Checking whether your instance uses scripted criteria
A ServiceNow administrator can open the User Criteria list in ServiceNow and filter where the Advanced field is true. Any records returned are script-based and need the treatment below.

Recommended setup
For each scripted user criteria whose audience should appear in KM:

  1. Create a user group in ServiceNow to represent the audience.
  2. Add a scheduled job that runs on a regular cadence and updates the group's membership using the same logic the criteria script applies — adding users who now qualify and removing those who no longer do. ServiceNow's scheduled script execution is well suited to this, and the logic mirrors the existing criteria script.
  3. On the affected articles or their knowledge base, add a "Can Read" user criteria that targets the new group, in place of — or alongside — the scripted criteria.

On the next sync, KM resolves the group's members and applies the correct read access. As the scheduled job keeps the group current, KM access stays aligned with the intended audience over time.

Choosing a refresh cadence
Because group membership is refreshed on the job's schedule rather than evaluated live at each access, set the job frequency to match how quickly the underlying attribute changes. For audiences that change infrequently — for example, manager level or department — a daily or twice-daily run is usually sufficient; for faster-moving attributes, schedule the job more frequently.


ServiceNow Integration: FAQs

General & Authentication

Q: What is the purpose of the ServiceNow integration? A: This integration allows you to connect your ServiceNow Knowledge Base with Leena AI's Knowledge Management (KM) dashboard, enabling your ServiceNow Knowledge Articles to be synced and displayed within Leena AI.

Q: What connection methods are available? A: There are two approaches to connect using OAuth:

  1. OAuth Token Based (Recommended)
  2. OAuth Password Based

Q: Which connection method is recommended? A: The OAuth Token Based method is the recommended approach.

Configuration

Q: How do I get a Client ID and Client Secret from ServiceNow? A: You must go to your ServiceNow developer instance and navigate to System OAuth > Application Registry. When you register a new application (for either the Token or Password-based method), ServiceNow will provide a Client ID and Client Secret.

Q: What details are required for the recommended (OAuth Token Based) setup in Leena AI? A: You will need to provide the following four items in the Leena AI KM dashboard:

  • Client ID
  • Client Secret
  • Refresh Token
  • Instance URL

Q: How do I get the Refresh Token for the recommended method? A: After creating your OAuth application, you must use the provided API command to generate the refresh token. This token is then used in the Leena AI connector settings.

Q: Why is a long Refresh Token lifespan important? A: You should configure a long lifespan for your refresh token in ServiceNow to ensure that the sync connection with Leena AI's KM does not expire unexpectedly.

Q: What details are required for the (OAuth Password Based) setup in Leena AI? A: You will need to provide the following five items:

  • Username (the ServiceNow user who created the application)
  • Password (for that user)
  • Client ID
  • Client Secret
  • Instance URL

Syncing

Q: Do I have to sync all my Knowledge Bases? A: No. While the integration will sync the list of all available Knowledge Bases, you can select which specific ones you want to sync with Leena AI's KM.

Q: What happens to articles after they are synced? A: You can choose. The settings allow you to configure whether fetched articles are moved directly to a published state or to a draft state within Leena AI.

Q: Can I sync the permissions for my ServiceNow articles? A: Yes, the integration settings include an option to fetch and sync permissions from ServiceNow.

Q: Which article statuses are synced from ServiceNow?
A: Only articles in the Published state are synced. Articles that are Expired, Draft, or otherwise not Published are excluded and will not appear in KM. Republishing an article in ServiceNow makes it eligible for the next sync.

Q: After enabling permission sync, some article audiences aren't coming through. Why?
A: This typically happens when the article's access is controlled by a scripted (advanced) user criteria in ServiceNow. Scripted criteria resolve their members through a script at access time, so the membership is never stored and cannot be read by the integration. Attribute-based user criteria (role, group, department, location, and the like) sync as expected. To sync a scripted audience, mirror it to a group kept current by a scheduled job in ServiceNow (see Sync scope & supported permissions).

Q: How can I tell whether my ServiceNow instance uses scripted user criteria?
A: A ServiceNow administrator can open the User Criteria list in ServiceNow and filter where the Advanced field is true. Any records returned are script-based. See Sync scope & supported permissions for how to make those audiences available in KM.