Issues with Access Levels for Credentials (for Discovery & Service Mapping)

SirajudeenM
Mega Contributor

Hey Everyone,

I am looking for some suggestions, inputs on the below.

 

One of our customers has about 2000+ Devices in their Infrastructure across device types such as WIN, UNIX, Network Devices, Databases (DB2, Oracle, SQL), Citrix Servers and Storage. To implement ServiceNow Discovery, they're unwilling to provide the required access levels to the credentials needed for Discovery. They are unwilling to provide any level of windows admin access (be it a full blown admin or privileged access with admin rights to few components) and not willing to provide sudo access to the SSH credential. In this case do we have any alternatives? We are exploring JEA role, we have not done this before. Any ideas/suggestions are greatly appreciated. Happy to provide additional details as well.

4 REPLIES 4

Selva Arun
Mega Sage
Mega Sage

Hi,

For a successful scan, access or credentials are required. If they are not provided, you have the following options:

  1. Manually Create CI Records: You can manually create the CI records if automated discovery is not possible.
  2. Use Import Sets: Import the data using import sets to populate the CI records.
  3. Credential-less Discovery: Consider using credential-less discovery by installing Nmap on the MID server. This will create CIs, though the data may not be as detailed as with credentialed discovery.

If you find the solution provided helpful, please mark it as 'Helpful' and 'Accept it as a Solution'. This will assist other community members with similar questions in finding the answer more easily.

Thank you for your consideration.

Best regards,
Selva

Would ACC help in this case?

Yes it will. In serviceNow road map there is stated that even ACC will be able to do Service Mapping. 

 

Fredrik v S
Mega Guru

Agent Client Collector for Visibility to Discover Windows and Linux hosts - this can run with lower permissions but you will need a few JEA profiles for Windows (the gMSA needs Performance Monitor Users) to be able to have the agent pull all necessary data.

 

For the other credentials, such as SNMPv3 credentials, the network or security team should keep those in a key vault such as CyberArk or Azure Key Vault and allow the MID Server designated for this to access the credentials.

A semi competent security team will never just hand out credentials, you need to put appropriate security measures in place both on the platform, mid server and access levels.