Account management practices

KB15 · ‎08-15-2017

I'm not sure if this would be the best place to post this but I thought I'd ask since it's somewhat related.

We have an SSO setup between ServiceNow and Active Directory. My organization has recently implemented a policy of deleting user accounts every 30 days in Active Directory (which is pretty insane). We're running into issues, if you haven't guessed by now, with users not being imported in because of username conflicts. This is also compounded because we have a very simplistic username naming convention (first initial last name) in most cases.

What are your policies regarding usernames and the ServiceNow accounts in an SSO environment? I think the simplest solution is to find a highly unique naming convention for users however I'm not sure if they'll ever implement such a thing. The account deletion policy will stay regardless due to politics. Would you use something like "first.last" + "last two or 3 digits of ssn"? "john.smith323". Is that a practical option?

I'd like to know your thoughts on account management, SSO integration and your company's policies regarding accounts. I see this being a tremendous issue as time passes especially with other integrated systems that use the same user accounts or SSO.

I would never consider it but would you ever see the purpose of deleting users from ServiceNow like in our situation?

Thanks.

Chuck Tomasi · ‎08-15-2017

Hi,

You'll need something unique as your 'primary key' for users as they are imported in to ServiceNow. Many organizations use the email address or employee ID/number. When you import, set the coalesce value(s) to true on these fields and you'll get unique records.

Using the Coalesce Field - ServiceNow Wiki

KB15 · ‎08-18-2017

Thanks Chuck.

Unfortunately, not everyone has an employee number and the email addresses/usernames can change as well. We have a policy of changing usernames when a contractor switches to full-time which also caused a problem with account duplication. I've mitigated that with using the GUID from AD to prevent that.

There's really no restriction on changes to the username, email address and not all users have an employee ID and there's no consistency on usernames. It can vary from firstinitiallastname to firstname to first.last. It goes on. I think I'm stuck.

daniel_perriton · ‎08-14-2018

We have a similar issue, we delete accounts in AD but we don't delete them in servicenow. When they reuse a username in AD it sync's back up with the records from the previous person. It's a headache to troubleshoot every time!