There are 2 mechanisms that allow Kbot to communicate with ServiceNow: the OAuth2.0 protocol and the ServiceNow service account. A service account is used when your ServiceNow environment does not allow users to log in using OAuth2.0 or to retrieve extra data that would not be directly accessible by the user. In this case a service account can send requests on behalf of users.

1 Privileges
- 1.1 Sample permission set
2 Configuring a service account
3 Using the Impersonation app
- 3.1 ServiceNow setup
  - 3.1.1 Installing the application
  - 3.1.2 Setting up service account roles
- 3.2 Kbot setup
- 3.3 API Reference
4 Accessing the translation table
- 4.1 Step 1: Role creation
- 4.2 Step 2: Associate ACLs
  - 4.2.1 ACL 1
  - 4.2.2 ACL 2
5 Enable Service Catalog ordering

Privileges

As your service account is responsible for a wide range of things, such as managing tickets, searching for articles, and sending messages to operators, it must have proper privileges. We recommend that your grant it with the same privileges that your agents have, typically the itil role.

Sample permission set

See a “Kbot Agent” service account that is configured to manage incidents and requests, get a list of someone's records, access an internal knowledge base, and connect a user to a live agent.

itil: accessing and managing ServiceNow objects.
x_konve_kbot_test.user: accessing Kbot functionalities.
x_konve_kbot_test.kbot_relationship_user: making the connection to support agents more robust.

Configuring a service account

To enable a service account and let it handle all the requests (creating tickets and sending search queries) and send messages to an operator, you must perform the following:

1. In your ServiceNow environment, create a service account. This is just a regular ServiceNow user.

2. Grant it with the privileges that your agents have.

3. In Kbot, go to DevOps > Deployment > ServiceNow Configuration.

4. Specify the account's details: fill in the ticket_user and ticket_password fields.

5. Make sure the following parameter is set:

snow_use_service_account = true

6. Save and Apply the changes.

Using the Impersonation app

Konverso offers an extra application called “Impersonate API Service” for accessing ServiceNow APIs. This application uses a service account and restricts content to the provided user. This mechanism is implemented using impersonation on the endpoints.

To start using Impersonate API Service:

Install the application in your ServiceNow environment.
Make sure your service account has proper roles.
Set up Kbot.

To learn more about this application, view this Wiki.

ServiceNow setup

Installing the application

Load the application in your ServiceNow environment using ServiceNow Store.

Setting up service account roles

To use the APIs set, grant the the following roles to the associated service account:

impersonator: allows the service account to impersonate another user.
itil: grants the service account access to the complete knowledge bases and Catalog Items.
service_account_impersonate: allows the service account to use the APIs included in this package.

Kbot setup

Make sure the following variable are set in your configuration:

snow_use_service_account = true
snow_use_impersonate_app = true

API Reference

Find the complete list of the APIs using the following link: API reference . The bot uses this endpoints to retrieve the user visible knowledge base articles and catalog items, but the APIs may also be used for other purposes, in addition to the regular usage by the bot.

Accessing the translation table

For international projects, you can configure multiple languages in your ServiceNow environment. Thus, various items (such as catalog items) can be translated for the bot to use them in conversations.

Note that specific privileges are required to access the translation tables. The tables of interest are:

Translated Name / Field [sys_translated]
Translated Text [sys_translated_text]

There are no roles inside ServiceNow that are specifically associated with the tables. We recommend to create a new role and associated ACLs and then associate it with the service account used for Kbot.

Step 1: Role creation

A new role is to be created. We recommend using the name kbot_translator to have it easily identified and inline with our documentation.

Step 2: Associate ACLs

The following ACLs should be created and associated with the kbot_translator role:

ACL 1

Type: record
Operation: read
Name: sys_translated
Active: true
Role constraint: kbot_translator

ACL 2

Type: record
Operation: read
Name: sys_translated_text
Active: true
Role constraint: kbot_translator

Enable Service Catalog ordering

The Konverso platform offers the possibility to order Service Catalog items through the bot by automatically retrieving the forms' questions to relay them to the user in a conversational setting. We call this functionality slot filling.

Specific permissions are required to access the relevant tables. We recommend creating a new role (named kbot_service_account for example) and creating the following ACLs to associate with it:

Name	Operation	Type	Role
catalog_ui_policy_action	read	record	kbot_service_account
catalog_ui_policy	read	record	kbot_service_account
sys_ui_policy	read	record	kbot_service_account
sys_translated	read	record	kbot_service_account
sys_translated_text	read	record	kbot_service_account
item_option_new_set	read	record	kbot_service_account
item_option_new	read	record	kbot_service_account

Kbot for Snow Customer Center

Service account

Analytics