Integrating with Enterprise Ticketing Systems

Access Manager Plus comes with the facility to integrate with a wide range of ticketing systems, to automatically validate service requests related to privileged access. The integration ensures only users with a valid ticket ID can access the passwords of connections stored in Access Manager Plus.

In this document you will learn the following with respect to integrating Access Manager Plus with ticketing systems:

  1. How does this Integration work?
  2. Available Ticketing Systems
  3. Steps to integrate your Ticketing System with Access Manager Plus
  4. Ticketing system validation enforcement and exceptions
  5. Disabling ticketing system integration
  6. Integrating other Ticketing Systems
  7. Code Snippet For ServiceNow Custom Implementation
  8. Interface Description

1. How does this Integration Work?

Once you integrate Access Manager Plus with an Enterprise Ticketing System, users will be required to enter a valid ticket ID for password retrieval and Access Manager Plus will do the following before granting access:

  1. Validate that the ticket ID entered by the user exists in the ticketing system.
  2. Verify that the incident connected with the ticket is NOT in the Closed state.
  3. Verify whether the user is authorized to view that password and thereby access the IT asset.
  4. Verify for appropriate permissions in the case of password reset attempts.

In addition to verifying the above by default, Access Manager Plus also lets you define custom criteria and validate them with the ticketing system before granting access to the passwords. The entire process is completely audited - which means, privileged actions can be ​traced using ticket IDs and password access can be traced using ticket numbers in the ticketing system. In addition, you can generate custom reports on privileged access scenario through the ticket IDs.

2. Available Ticketing Systems

Integrating Access Manager Plus with your ticketing system is so simple. Access Manager Plus readily integrates with the following:

  1. ManageEngine ServiceDesk Plus On-Demand
  2. ServiceDesk Plus MSP
  3. ServiceDesk Plus
  4. ServiceNow
  5. JIRA

Apart from the above, you can integrate Access Manager Plus with any other Enterprise Ticketing System.

3. Steps to Integrate your Ticketing System with Access Manager Plus

    1. Navigate to Admin >> Session Settings >> Ticketing System Integration.
    2. In the page displayed, select the ticketing system you wish to integrate, from the list of supported ticketing systems. If the ticketing system that you use is not found in the list, select Others.
    3. Click Save.

3.1 Detailed Steps to Integrate with the Ticketing Systems that are Readily Supported

Integration with the ticketing systems that are readily supported is very straightforward. You just need to provide the details necessary to establish connection with the ticketing system.

3.2 Settings to Establish Connection with Different Ticketing Systems

Basically, the integration is achieved leveraging the REST APIs provided by the respective ticketing system. So, all that you need to do is to specify/generate the ​Authentication Token and Ticketing System's application URL.

    Generating Auth Token:

    You can generate and obtain the the Auth Token for each of the ticketing systems as below:

    1. ManageEngine ServiceDesk Plus:

    • Log in to ManageEngine ServiceDesk Plus.
    • Click API Key Generation under the Username at the top right corner of the page.

    2. ManageEngine ServiceDesk Plus MSP:

    • Log in to ManageEngine ServiceDesk Plus MSP.
    • Click API Key Generation under the Username at the top right corner of the page.

    4. ManageEngine ServiceDesk Plus On-Demand:

    Click here for the detailed steps to generate Auth Token.

    5. ServiceNow and JIRA Service Desk:

    1. Log in to Access Manager Plus.
    2. Navigate to Admin >> Session Settings >> Ticketing System Integration
    3. Click ServiceNow / JIRA Service Desk.
    4. Click Generate beside the AUTH Token field.

i. ServiceDesk Plus on Demand

Access Manager Plus integrates with ManageEngine ServiceDesk Plus on Demand to automatically validate access request to privileged access with a valid ticket ID. This can be done by generating AUTH token and entering the valid ticket ID in the ticketing system. You can also check the value of the change ID status associated with the ticket ID by selecting that option and entering the changeID status.

ii. ServiceDesk Plus MSP

Access Manager Plus integrates with ManageEngine ServiceDesk MSP to automatically validate access request to privilege access only with a valid ticket ID. This can be done by generating Technician key and entering the valid ticket ID in the ticketing system. 

iii. ServiceDesk Plus

Access Manager Plus integrates with ManageEngine ServiceDesk Plus by validating change request in addition to the ticket ID entered by the user in the ticketing system. And validation occurs only when the change ID provided is approved in Manage Engine Service Desk Plus.

Enabling this option will require your users to provide valid Change IDs for validation of password access requests and other similar operations. On the other hand, if you leave this option unchecked, users will have to submit valid Request IDs for validation.

iv. ServiceNow

Access Manager Plus integrates with ServiceNow. Through this integration, you can get data from the following simply by entering the 'Ticketing system URL' in the respective field '<instance>. <ticketingsystem>.com and by entering the number.

      • ServiceNow Incident - INC(7 digit number) eg) INC0010007
      • ServiceNow Change - CHG(7 digit number) eg) CNG0000003
      • ServiceNow Change Task - CTASK(7 digit number) eg)CTASK0000009
      • ServiceNow Request -  REQ(7 digit number) eg) REQ0010004
      • ServiceNow Request Item - RITM (7 digit number) eg) RITM0010007
      • ServiceNow Problem - PRB(7 digit number) eg) PRB0000007
      • ServiceNow Project - PRJ (7 digit number) eg) PRJ0000009
      • ServiceNow Project Task - PRJTASK(7DIGIT NUMBER) ef)PRJTASK0010001
      • ServiceNow Task - TASK(7 digit number) eg)TASK0010001

Enabling this option will require your users to enter any of the above valid numbers in Access Manager Plus for validation of password access requests.

v. JIRA Service Desk

Access Manager Plus integrates with JIRA Service Desk integration to automatically validate service requests related to privileged access. 

vi. Others

If you are using any other ticketing system, you can integrate it with Access Manager Plus by having your own custom implementation. 

By default, Access Manager Plus validates if the ticket ID entered by the user exists in the ticketing system and also verifies if the incident connected with the ticket is NOT in 'Closed' state. If your requirement is satisfied with these, ticketing system integration is complete.

3.3 Optional Advanced Configurations

In case, you want to validate some other criteria (in addition to ticket number and ticket status), you have the option to configure advanced settings. For example, you can choose to check if the Access Manager Plus user who is raising the password access request matches with the 'REQUESTER' column in the ticketing system. Similarly, you can check for certain specific conditions related to the ticket - for instance, 'PRIORITY' of the ticket as 'HIGH'. Access Manager Plus offers the total flexibility to check for any parameter in the ticketing system, including additional fields.

To carry out advanced configurations,

  1. Click More >> Advanced Configuration.
  2. In the GUI that opens, you can carry out advanced configurations. Advanced configurations can be carried out either by means of a readily available configuration setting or by implementing a custom class.

Options in Advanced Configurations

1.Validating if specific columns in Access Manager Plus match with the ones you specify in the ticketing system

    1. To validate if specific columns in Access Manager Plus match with the ones you specify in the ticketing system, you need to select the option "Map Entries in Access Manager Plus Vs Ticketing System".
    2. The column name drop-down lists down the column names as available in Access Manager Plus - Connection Name, Connection Type, Account Name, Access Manager Plus User Name, DNS Name etc. The custom fields created in Access Manager Plus are also included.
    3. Through the criteria column, you can specify what you want to check
    4. The Ticketing System column lists down the fields (including custom fields) available in the ticketing system. You need to choose the field, which you has to be mapped with the corresponding field in Access Manager Plus. For example, you can choose to map CONNECTION NAME in Access Manager Plus with ASSET in the ticketing system. Once you specify such a mapping, before granting access to the password, Access Manager Plus will check if the CONNECTION NAME as specified in Access Manager Plus matches with the ASSET name in the ticketing system. Only if the validation succeeds, access will be granted.

2.Validating specific conditions related to the ticket in the ticketing system

    1. To validate if specific conditions related to the ticket are met, you need to select the option 'Conditions to be checked in the ticketing system'. By default Access Manager Plus checks if the ticket STATUS is not in CLOSED state.
    2. You can select any number of additional conditions and Access Manager Plus will validate all of them with the ticketing system. By default, Access Manager Plus lists down all the fields available in the ticketing system, including the custom fields. You can specify the value, which Access Manager Plus has to validate.

3.4 Test Ticketing System Configuration Setup

After completing the integration, you can do a testing to ensure if Access Manager Plus is able to establish communication with the ticketing system properly. Click the link "Test Configuration Setup" link under More to do this.

As part of this testing, you can also fetch the custom fields available in Access Manager Plus to the advanced configuration setup.

3.5 Custom Implementation

In case, the advanced configuration does not satisfy your requirements, you can provide your own class implementation and integrate it with Access Manager Plus by updating a jar file with the implemented class. For more details, refer to '' Integrating Other Ticketing Systemssection below. The steps outlined there hold good here too.

4. Ticketing System Validation Enforcement and Exceptions

    1. Once you complete ticketing system integration, it takes immediate effect globally and users will have to produce valid ticket IDs to access passwords. By design, super administrators are exempted from ticket ID enforcement. In addition, as part of access control workflow too, users could be enforced to produce ticket IDs and access can be automatically granted after validating the IDs.
    2. You also have the option to selectively enable/disable ticketing enforcement for select user groups.
      1. Go to Users >> User Groups. Click the Actions drop-down beside the user group name and choose User Group Privileges.

      1. Click the check box beside Allow users to retrieve password without ticket ID and click Save.
      2. You can selectively allow/restrict users for ticketing validation from General Settings using the option Allow users to retrieve password without ticket ID. Click here to learn more about General Settings.
      3. In addition, you can have user group-specific settings too, which can be done from the User Groups tab.

5. Disabling Ticketing System Integration

You can disable the integration with the ticketing system anytime, by selecting the option 'Ticketing system integration currently disabled' in Ticketing System Integration page.

6. Integrating Other Ticketing Systems

If you are using any other ticketing system, you can integrate it with Access Manager Plus by having your own custom implementation. To guide you through the process, we have taken integrating Zendesk as an example to explain the steps involved.

Step 1: Create your implementation class

Refer to the sample implementation class created for integrating Zendesk. The important aspects of the implementation class have been explained below:

Step 2: Generate Authentication Token

The first step is to generate authentication token of the ticketing system to enable Access Manager Plus establish connection. When generating the AUTH TOKEN, ensure that you provide the credentials of an administrator who has full access to the ticketing system. You can do this either by providing the credentials directly in the implementation class or by generating the token and putting the token.

The snippet below shows how to generate Base64 Authstring belonging to a privileged account of the ticketing system. This will come in handy when the REST API is based on Base64 Authorization header. Some ticketing systems offer AUTH-Token with inbuilt GUI. In such cases, you can directly use the authentication parameters. In addition, instead of hard coding username and password in the implementation class, you can very well skip this part and make REST API call with direct Base64 token that are generated through Java or through any online editors.

Refer to the code snippet below:

      // Constructing Authstring from Zendesk login credentials
      String username = "username@example.com"; //Zendesk username
      String password = "zendeskpassword"; //Zendesk password
      Base64 encoder = new Base64();
      byte[] encodedPassword = (username + ":" + password).getBytes();
      byte[] encodedString = encoder.encodeBase64(encodedPassword);
      String authStr = new String(encodedString);


Step 3: Check connection with ticketing system

Using REST APIs, Access Manager Plus can be made to get the information about tickets from the ticketing system. Each ticketing system follows its own procedure to disseminate ticket details. Refer to the respective documentation to identify the procedure. After obtaining the ticket details, you need to validate the details.

Refer to the code snippet below:

      String sUrl = "https://<zendesk-instance>.zendesk.com/api/v2/tickets/"; //REST API call Zendesk
      sUrl = sUrl + ticketId +".json"; //This is the ticket ID that will be validated against the one supplied by the user in Access Manager Plus
      URL url = new URL(sUrl);
      HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
      connection.setRequestProperty("Authorization","Basic "+authStr); //Setting Authstring in the header


Step 4: Validating if specific columns in Access Manager Plus match with the ones you specify in the ticketing system (optional configuration)

Refer to the code snippet below to validate if specific columns in Access Manager Plus match with the ones you specify in the ticketing system (For example, you can choose to map CONNECTION NAME in Access Manager Plus with the SUBJECT in the ticketing system. Once you specify such a mapping, before granting access to the password, Access Manager Plus will check if the CONNECTION NAME as specified in Access Manager Plus matches with the SUBJECT name (if the subject contains the connection name) in the ticketing system. Only if the validation succeeds, access will be granted):

      String assetName = (String)AMPColumns.get("Connection Name");//AMP Asset Name for which password related operation done
      String subject = (String)ticket.get("subject");//Getting the ticket subject
      boolean descriptionCheck = subject.toLowerCase().contains(assetName.toLowerCase());
      //Checking the description of the ticket contains the connection name of user account


Step 5: Validating specific conditions related to the ticket in the ticketing system (optional configuration)

You can validate if specific conditions related to the ticket are met - by default, Access Manager Plus checks if the ticket STATUS is not in CLOSED state. You can select any number of additional conditions and Access Manager Plus will validate all of them with the ticketing system. By default, Access Manager Plus lists down all the fields available in the ticketing system, including the custom fields. You can specify the value, which Access Manager Plus has to validate.

      JSONObject ticket = (JSONObject)ticketingOuput.get("ticket");
      String status = (String)ticket.get("status");
      boolean statusCheck = "open".equalsIgnoreCase(status); //Checking whether the status of the ticket is in open state


Step 6: Compilation

While compiling keep the following jars in the classpath (the jars are available under <AMP_HOME>\lib folder)
AdventNetPassTrix.jar;
json_simple-1.1.jar;
commons-codec-1.7.jar
For Example,
javac -d . -cp AdventNetPassTrix.jar;json_simple-1.1.jar;commons-codec-1.7.jar ZendeskImpl.java - (For Windows)
javac -d . -cp AdventNetPassTrix.jar:json_simple-1.1.jar:commons-codec-1.7.jar ZendeskImpl.java - (For Linux)

Step 7: Configurations in Access Manager Plus installation

  1. Compile the implemented class files as a single jar and place that jar in AMP_HOME\lib folder.
  2. Restart the Access Manager Plus Service so that Access Manager Plus will make use of the implemented class.
  3. Navigate to Admin >> Session Settings >> Ticketing System Integration.
  4. In the GUI that opens, select the option 'Other' (to integrate any ticketing system) OR the 'Class Implementation' 'Advanced Configuration' of the already integrated ticketing system (if you want to extend the functionality).
  5. Specify the name of your implementation class.
  6. Your implementation has to be approved by another administrator. All other administrators (other than those who made the request) will receive an alert regarding the request for approval.
  7. Once an admin approves the implementation, it will be made available for use.
  8. After enabling, ticketing system workflow will be made mandatory for password retrieval and password reset.
  9. For further information, refer to the sample implementation class created for integrating Zendesk.

Implementation tips

For steps 3 and 4 above, you might require additional information for implementation. Refer to the tips below for details:

Columns in Access Manager Plus

List of data related to the user account for which ticketing request is raised through Access Manager Plus Columns parameters from Access Manager Plus side:

    • Access Manager Plus User Name - Logged in user name
    • Connection Name - Name of the connection
    • DNS Name - IP Address of the connection
    • User Account - Account name
    • Connection Type - Type of the connection being accessed (Windows/ WindowsDomain/ Linux etc.)
    • Connection Description - Description about the connection
    • Department - Department to which the connection belongs
    • Location - Connection location
    • Domain Name - Domain name of the connection
    • Request Type - Request Type for which ticketing system call is made. It can be
    • RETRIEVAL - Password access
      REQUEST - Password access request raised through Access-Control workflow
      RESET - Password reset
      AUTOLOGON - 'Open Connection' request

    • User Organization Name - Organization name of the user who made the request
    • User Current Organization Name - Name of the organization where the requested account is present

Credentials to Access Ticketing System

      AUTHTOKEN - Authentication token value given in the integration GUI
      TICKETINGSYSTEMURL - URL given in the integration GUI


Advanced Configuration Details

ISAMPTICKETCRITERIA - To check if Access Manager Plus vs Ticketing system is configured or not

      (Boolean - true or false)


AMPTICKETCRITERIACOLUMNS - Mapping details between Access Manager Plus and ticketing system. Each element in the array represents a criteria. For example, the column 'User Account' in Access Manager Plus has to be validated against Ticketing system column 'REQUESTER' with match parameter 'EQUAL' in criteria 'C1'

      JSONArray - [ ["C1","User Account","REQUESTER","EQUAL"],
      ["C2","AMP User Name","TECHNICIAN","EQUAL"] ]


AMPTICKETCRITERIA - Specifies the relationship between different criteria.Each element of 'AMPTICKETCRITERIACOLUMNS' contains the first parameter as criteria name. It gives the relationship between criteria

      (String - Example: C1 or C2)


ISTICKETVALUECRITERIA - To check if the validation for ticketing system values is configured or not

      (Boolean - true or false)


TICKETVALUECRITERIACOLUMNS - Mapping details that ticket should satisfy. Each element in the array represents an criteria. For example, ticket column 'STATUS' has to be validated against value other than Closed in criteria 'C1'

            

      JSONArray - [ ["C1","STATUS","Closed","NOT_EQUAL"],
      ["C2","URGENCY","high","EQUAL"],
      ["C3","IMPACT","high","EQUAL"] ]


TICKETVALUECRITERIA - Specifies the relationship between different criteria. Each element of 'TICKETVALUECRITERIACOLUMNS' contains the first parameter as criteria name. It gives the relationship between criteria

      (String - Example: C1 or (C2 and C3)


ISTICKETCHANGEIDSTATUS - To check if the validation for system change status check is configured or not (true or false)
TICKETCHANGEIDSTATUS - Associated 'change ID status' of the ticket ID value.

Match Parameters can be

EQUAL - Values of two parameters should be same
NOT_EQUAL - Values of two parameters should not be same
CONTAINS - First parameter value should contain the value of second parameter
NOT_CONTAINS - First parameter value should not contain the value of second parameter,
STARTS_WITH - First parameter must start with value of second parameter,
ENDS_WITH - First parameter must end with value of second parameter,
(Date based comparison parameters)
LESS_THAN - First parameter date value should be less than the second one,
GREATER_THAN - First parameter date value should be greater than the second one,
LESS_THAN_EQUAL - First parameter date value should be less than or equal to the second one,
GREATER_THAN_EQUAL - First parameter date value should be greater than or equal to the second one
Depending on the match parameters, the criteria should get validated.

7. Code Snippet for ServiceNow Custom Implementation

If the advanced configuration does not satisfy your requirements, you can have a custom implementation. You can extend the default implementation provided by Access Manager Plus and have the additional functionalities. The following example shows how the default implementation created for ServiceNow, can be extended to serve as the custom implementation.

      package com.manageengine.ts;
      import java.util.Properties;
      import org.json.simple.JSONObject;
      import com.adventnet.passtrix.helpdesk.ServiceNowImpl;
      
      //ServiceNow custom implementation
      public class ServiceNowCustomImpl extends ServiceNowImpl
      {
        public boolean checkViewHelpDeskRequest(String ticketId, Properties AMPColumns, Properties credentialDetails, JSONObject criteriaDetails)
         throws Exception
        {
      	boolean result = super.checkViewHelpDeskRequest(ticketId, AMPColumns, credentialDetails, criteriaDetails);
      	//Your own implementation
      	return result;
        }
      }
          

The table below lists down default functionality processing classes for the ticketing systems that readily integrate with Access Manager Plus:

      ServiceDesk Plus On-Demand

      com.adventnet.passtrix.helpdesk.ServiceDeskPlusOnDemandImpl

      ServiceDesk Plus MSP

      com.adventnet.passtrix.helpdesk.ServiceDeskPlusMSPImpl

      ServiceDesk Plus

      com.adventnet.passtrix.helpdesk.ServiceDeskPlusOnPremiseImpl

      ServiceNow

      com.adventnet.passtrix.helpdesk.ServiceNowImpl

      JIRA Service Desk

      com.adventnet.passtrix.helpdesk.JiraServiceDeskImpl



8. Interface Description

The interface for ticketing system integration:

      package com.manageengine.ts;
      
      import java.util.Properties;
      import org.json.simple.JSONObject;
      
      // This class provides the methods to implement ticketing system integration. You need to implement this interface
      public interface TicketingSystemInterface
      {
        /**
         * Used to display the error message while doing the ticketing system related operations. The output gets reflected in audit trails.
         * @return Error message, if the ticketing system accessible, return null. Otherwise, return a proper error message.
         */
        public String getErrorMsg();
      	
        /**
         * Used to return the properties related to the ticketing system operation
         * @return Comments and needed message
         */
        public Properties getRequestProperties();
      	
        /**
         * Used for testing configuration setup. While testing, administrator will be able to get ticket details from the ticketing system.
         * @param tsName Ticketing system Name
         * @param tsUrl Ticketing system Web URL
         * @param authToken Authentication Token assigned to a technician of ticketing system (Base64 authorization string constructed 
                            using login credentials in the case of ServiceNow ticketing system)
         * @param ticketId Ticket ID given as the input  ((Ticket ID/Sys ID in the case of ServiceNow ticketing system)
         * @param Ticketing System operation type
         * 	{@value 0} Ticketing Operation
         * 	{@value 1} Change Related Operation
         * @return the output from ticketing side
         * @throws Exception
         */
        public JSONObject helpdeskCheck(String tsName, String tsUrl, String authToken, String ticketId, String operation) throws Exception;
      	
        /**
         * Actual function that will be called upon whenever a ticketing system related operation is done from Access Manager Plus GUI
         * @param ticketId Ticket ID (Ticket ID/Sys ID in the case of ServiceNow ticketing system)
         * @param Access Manager PlusColumns Details of the Access Manager Plus account for which ticketing system query is raised
         * @param credentialDetails Key details of ticketing system (Authentication token or Base64 authorization string 
                            and web URL of ticketing system)
         * @param criteriaDetails Criteria mapping done as part of advanced configuration
         * @return Final output that will be sent to Access Manager Plus server
         * 	{@value true} Success case - Allows the operation to proceed
         * 	{@value false} Failure case - Denies the operation to proceed
         * @throws Exception
         */
        public boolean checkViewHelpDeskRequest(String ticketId, Properties AMPColumns, Properties credentialDetails, JSONObject criteriaDetails)
         throws Exception;
      		
      }
          

©2020, ZOHO Corp. All Rights Reserved.

Top