How to auto-notify stakeholders before integration client credentials expire?

entcenginee · Thursday

Hi all,

I need to automate credential expiry notifications for our SAM Pro integrations (OAuth, Connection & Credential Aliases, etc.).

Goal: Detect credentials expiring within 30 days and automatically:::

Email mapped stakeholders
Create a tracking task
(Ideally) test connection post-update

My plan: A scheduled Flow Designer flow that checks a small registry table with integration name, credential alias, expiry date, and owner.

Questions:

Is there an OOTB feature or best practice for this?
Where does ServiceNow normally store expiry_date for OAuth or aliases??
Has anyone built this before and could share a step-by-step outline or lessons learned???

Thanks in advance for any guidance or examples!!!!

lpruit2 · yesterday

Greetings @entcenginee ,

I see this question has been posted multiple times so apologies if this is not the correct thread. I'll post one possible solution that I created in my Personal Developer Instance (PDI) but interested in others to offer their feedback if there is a better/different solution.

The first thing I did was go into Flow Designer and create a new Flow.
Then set the Trigger condition to be Scheduled to be ran at the time of your choosing. For this example, I have chosen 6 a.m.
The first step within the Action section will be to identify those records that meet the criteria of expiring in the next 30 days. I did not see which table you are planning to use and the name of the field so I'm taking some liberties. In this example, I am using a Look Up Records (plural in case there are multiple records that meet this criteria) on the Incident table and checking the Due Date field. In the screenshot below, I'm using a Relative type of search that is checking for a Due Date that is after 29 days from now but before 31 days from now.
The next step within the Action section will be to iterate through the query results from the previous step. I used the Flow Logic step of "For Each" and moved the data-pill in that will contain the Incident Records.
The next step (WITHIN THE FOR EACH LOOP), I am using the Flow Action step Create Task. Again, I'm not sure which table you will be using for your scenario. With the Create Task Flow Action, you have the ability to set whatever fields with whatever values you feel would add value to this effort. In this example, I'm using the Incident Task table and I'm linking the individual Incident record as the Parent to the to-be-created Incident Task.
The final step (still within the For Each loop), is to send the Notification out. There are multiple ways you can send an e-mail notification from within Flow Designer. You can use the Send Email Flow Action (shown below); you can use the Send Notification Flow Action which triggers a separate Notification record; or you can use the Fire Event Flow Action which generates an Event, which requires a separate Event Registry record to exist that you specify in the Flow Action step, and that Event record then triggers a separate Notification record. If the person you wish to e-mail exists in your Lookup Records individual record, then you will have access to that data pill in the Data panel on the right-hand side of the screen.

This is by no means the ONLY way to do what you're asking but I hope it at least gets you started or helps you think of the best way that works for you. Like I said before, I'm always interested in how others would approach this scenario and look forward hearing from them. Best of luck to you with whatever you decide!

iamkurt · yesterday

Hi @lpruit2

I appreciate you taking out the time and posting such an elaborate answer.

1) I guess a more important question I am looking to have answered it which attribute will help me trigger this Flow. For ex - on "oauth_credentials" table, I found one "expires" attribute. Theres another table "oauth_2._0_credentials" but I don't see a similar attribute there.

2) However, when I checked my Direct Integration Profiles, we use http_connection and sys_alias tables for connections and credentials. Problem is → I don't see an "Expires" field on either one of them. So, how do I trigger this flow?

Would you please advise how do I find out the expiry date, coz thats what I believe should trigger the flow?

Let me know if am mistaken in my understanding here.

Thanks again.

iamkurt · yesterday

@lpruit2 - Furthermore, you also mentioned that this has been posted many a times before. Would you be kind enough to provide links to those questions? They might have an answer to my question.