Agentic AI

HARSHA GOWDA R
Tera Contributor

‎07-06-2025 08:54 PM - edited ‎07-06-2025 08:57 PM


I am trying to build an AI Agent for an IAM application in ServiceNow where it can evaluate SOD policies for an identity. First the agents uses the script tool to query the identity role relationship table and gets the active relationship data. Second the agent uses another script tool to query the sod policy table to get all policies
The relationship is stored in the below format, where user_id is the identity unique id and roleidentity_relationship contains array of roles that the user has
var result = {
user_id: userID,
roleidentity_relationship: []
};

the script in script tool is used is:

(function(inputs) {
    var userID = inputs.user_id;
    var result = {
        user_id: userID,
        roleidentity_relationship: []
    };

    var usrNam = new GlideRecord('x_syslt_user_directory');
    usrNam.addQuery('active', true);
    usrNam.addQuery('user_id', userID);
    usrNam.query();
    usrNam.next();

    var roleDir = new GlideRecord('x_syslt_roles_directories');
    roleDir.addQuery('directory', usrNam.getUniqueValue());
    roleDir.addQuery('stage', 'granted');
    roleDir.query();

    var roleNames = new Set();
    while (roleDir.next()) {
        var roleGr = new GlideRecord('x_syslt_roles');
        roleGr.get(roleDir.iam_roles);
        roleNames.add(roleGr.name.toString());
    }

    result.roleidentity_relationship = Array.from(roleNames);
    return JSON.stringify(result);
})(inputs);

coming to another tool
The policies are retrived in the below format, where policy_id is unique value, restricted_roles parameter contains combination of roles the identity should not have.if it is evaluated as true then user violates that policy

var result = {
sodPolicies: []
};

"sodPolicies": [
{
"policy_id": "SODPOL0001116",
"action": "Warning",
"restricted_roles": "",

}
]
the script in script tool i have written is

(function(inputs) {
    var result = {
        sodPolicies: []
    };

    // Query active SoD policies
    var polNum = new GlideRecord('x_syslt_sod_policy');
    polNum.addActiveQuery();
    polNum.query();

    // Process each policy
    while (polNum.next()) {
        var rolesStr = polNum.getDisplayValue('roles') || '';
        var rolesArray = rolesStr.split(',').map(function(role) {
            return role.trim();
        });

        var policyObj = {
            policy_id: polNum.getDisplayValue('number') || '',
            action: polNum.getDisplayValue('action') || '',
            restricted_roles: rolesArray
        };

        result.sodPolicies.push(policyObj);
    }

    return JSON.stringify(result);
})(inputs);


Currently I am using the below AI prompt but it is not working as expected, based on the requirements above can you enhance the prompt and give it to me so that the agent is able to identity SOD Violations

As an AI agent, evaluate Separation of Duties (SOD) violations for an identity in a ServiceNow IAM application by performing the following steps:

**Step 1: Request User ID**
To get started, request the user to provide the Identity User ID to whom which the violation needs to be checked.

**Step 2: Retrieve Role Identity Relationships**
Using the provided User ID, execute the 'Role Identity Relationship Details' script to retrieve the user's role identity relationships. The script returns data in the following JSON format:
{
"user_id": "<UserID>",
"roleidentity_relationship": ["role1", "role2", ...]
}

If the script returns no roles or an empty roleidentity_relationship array, proceed to Step 8.

Step 3: Retrieve SOD Policies
Execute the 'SOD Policy Details' script to retrieve all active SOD policies. The script returns data in the following JSON format:
{
"sodPolicies": [
{
"policy_id": "<PolicyID>",
"action": "<Action>",
"restricted_roles": ["role1", "role2", ...]
},
...
]
}
f no policies are returned or the sodPolicies array is empty, proceed to Step 8.

Step 4: Format SOD Policy Output
Ensure the output from the 'SOD Policy Details' script is formatted as specified, with restricted_roles as an array of role names. The format is already correct based on the provided script, so no additional formatting is needed.

Step 5: Compare Roles for SOD Violations
For each policy in the sodPolicies array:

If the restricted_roles array is empty or contains only empty strings (e.g., [] or [""]), skip the policy, as it cannot trigger a violation.
Perform a case-sensitive comparison to check if every role listed in the policy's restricted_roles array is present in the user's roleidentity_relationship array. Compare role names exactly as they appear, preserving case (e.g., "Test Roles" is not equal to "test roles" or "Test Roles 2").
A violation occurs only if all roles in restricted_roles are found in roleidentity_relationship. If even one role is missing, the policy is not violated.
If a violation is found, record the policy_id of that policy.

Step 6: Collect Violating Policy IDs
Store the policy_id of each policy where a violation is detected in an array.

Step 7: Format and Display Output
Return the array of violating policy_id values in JSON format, e.g.:["SODPOL00011", "SODPOL00017", ...]
Ensure the output is a valid JSON array.

Step 8: Handle No Violations
If no violations are found (i.e., the array of violating policy_id values is empty), return the following message in JSON format:"There are no violations for the identity".
the issue i am facing is: its taking if any one roles are there in the role identity relationship.I want is- if the user as test role,test roles 2 as restricted combination then this two roles should be present in the role identity relationship.if any one role is present it is not violation policy

 

0 Helpfuls
  • 282 Views
0 REPLIES 0