x

    Health of Your Instance

     

     

    Each one of us takes care of our health not only for ourselves but also for people who are close to us. We do some periodical exams and health checks to make sure that everything is ok. We eat healthy food and go to the gym, some of us may like to run. Everything to ensure we are okay and will be as long as possible. Even though some situations cannot be fully avoided, like getting the flu during the season, we are doing what we can to stay in the best shape. Our work takes a lot of time in our lives, for many people, the work environment is like a second home, especially for people who are working from home which is more and more popular. But do we think about our work environment the same way as we do for our health?

    Some companies are just starting their journey with ServiceNow as part of the daily work environment. Others are already there, maybe for a year, a decade, or longer. But despite the time, just like we care about health, we should always think about our work environment, and it’s one of our keys for The Cloud People as a partner to make sure that ServiceNow instance is in the best shape.

    Development and configuration in most of the cases were done by different companies and different people with different skills and experience; all followed their release process, which has changed over time and got more mature. But still, something could be overseen and cause damage, starting from system performance, which could not have a huge impact and got easily and quickly fixed, but there could be a more serious result like a security breach or data leak causing a lot of damage for the company. ServiceNow is a huge platform capable of supporting many different branches of Your organization, starting from simple IT tasks, going through Human Relations and Customer Support as fat for very complex workflow. With such huge flexibility comes lots of responsibility, so how can we ensure that delivery for the instance is done in its best way?

    In general, there are many ways to achieve that goal, each one of them comes with different skill requirements and different time utilization but here we would like to focus on two functionalities that not everyone knows about and that are underestimated as can give huge support and value.

    ServiceNow Health Scan and ServiceNow Instance Scan

    ServiceNow Health Scan is an automated ServiceNow (as a vendor) scanning system that checks the full body of the instance on many levels. It starts with a simple configuration and modifications of OOTB features and goes through data access rules as far as low-level script validation. All checks are done based on best practice rules. A huge advantage of Health Scan is that checks performed are based on experience gathered by the Vendor from thousands of instances that were provided to ServiceNow customers.

    The outcome of HealthScan is the Configuration Review report as a detailed assessment of scanned instances and provides written information on the system's quality.

    Scan findings are divided into five main categories

    • Manageability – i.e., assessment of several custom fields, tables, flows, and workflows; Groups with no users; reports shared with a group that has no users; report assigned to a non-existent group/user; hardcoded values in scripts; huge scripts; complex Workflows; with many steps; data relationships to non-existing records; automated logic like business rules running on relationships hard to predict.
    • Performance – i.e. Index Suggestions for Slow Queries should be reviewed; LDAP Server definition should limit attributes retrieved; Read ACLs (Security rules) should not run database queries on tables on huge numbers of data; Business rules firing outbound SOAP/REST set to run synchronously; recursive updates on records; side of data shared for integration and exports.
    • Security – i.e. outdated security protocols used; Session Activity Timeout value; Enforce strong passwords; HTML Sanitization to avoid script injection; IP Range access for highly secured instances.
    • Upgradeability – i.e. Scripts should not directly call Java packages; differences from OOTB baseline; Client-side code should not use DOM manipulation technique; custom modules.
    • User Experience - record Activity Log showing too much information; Too many fields on a form; Same field twice on one form; Minimize the number of options in a choice field; long titles.

    And three rating levels

    • Act – Highest priority which needs to be reviewed and fixed.
    • Recommend – Medium priority with findings that require review and scheduling.
    • Discuss—Low-priority findings will also require review, but these could be exceptions due to technical limitations.

    Each of the categories will also come with a percentage KPI score as a general indicator of instance health.

    A screen shot of a security
Description automatically generated

    Despite the general summary overview, the Customer is also provided with a detailed list of all configuration records that were found. It will contain the record type, e.g., Business rule or script, a direct link to find when it was created and last modified, a category with a rating, and, most importantly, a recommendation description with a link to the best practice definition of the finding. Due to many factors, such a list can have a couple hundred, thousand, or even hundreds of thousands of records.

    ServiceNow Health scan cannot be requested by customer partners, if anyone is interested in a Health scan they will be required to contact the customer's solution consultant, customer outcomes representative, or support account manager. After request acceptance, there will be a requirement to prepare the environment for scan purposes as it cannot be done in production mainly due to performance reasons. After instance, full clone ServiceNow will run the scan, report preparations usually take a couple of days, and results are provided. Of course, when there is a huge number of findings, it can take a bit longer to process and prepare the report.

    The cost of a ServiceNow Health scan depends on the customer's contact with ServiceNow. In most cases, it will be available for free, but each customer should confirm the cost with the support account manager.

      When you already have the report, you can proceed with the review and remediation plan. Technical and Solution Architects should go through the first high-level review to check the overall state of the platform and decide together with the platform owner about findings prioritization based on their urgency, complexity of change, team available for remediation tasks, and time consumption which may be required to reach desired Health level but not having any impact on current development and release cycle. What is more, it will also be a very good time to validate if the current release process works well or if there is space for improvement to avoid some issues that were overseen and spotted in the Health Scan report.

    In many cases despite achieved value which will be better performance and more secure instances, remediation of Health Scan findings will consume a lot of resources. Such HealthScan should be performed at least every two or three years or if even possible as an annual check. To be prepared and avoid too high remediation utilization it is recommended to implement ServiceNow Instance Scan in the current development release cycle.

    ServiceNow Instance Scan is very similar to Health Scan, as it is a built-in application that allows customers to run their validation checks on demand or periodically without vendor involvement.  

    It helps to validate configuration and identify health issues before changes are moved to the production environment. The tool can be used as a part of development operations and release management.

    The main difference is that instance scan functionality setup depends on the customer and delivery team. By typing ‘Instance scan’ in Application Navigator, you will find available modules

    A screenshot of a computer

Description automatically generated

    Note: admin, scan_user Roles are required to access instance scan data

    Instance Scan application is divided into 5 main sections.

    • Checks – where check configuration records are stored and where system admins can add new records required to be monitored.
      A screenshot of a computer

Description automatically generated
    • Suites – records to group checks by their similarity and focus areas i.e. Security check suite or Script validations.
      A screenshot of a computer

Description automatically generated

      Suites can have a Parent-Child relationship which allows system administrators to prepare configurations based on the current requirement of the process.
      If you would like to run a scan based on the created suite, it is required to open the Suite record, and an option to Execute the scan will be available there.
      A screenshot of a computer

Description automatically generated
      The outcome will be available under the “Results” module, just like for a full scan or single check run.  
    • Results - under this module, you will find an entry of a scan that was performed with grouped information of which suites were included, which checks run, scan findings, and additional Statistics
      A screenshot of a computer

Description automatically generated
      You can also access the findings directly from the Results record for review and remediation plans or actions.  
    • Findings – full list of all findings from scans and checks that were performed against the instance. From here just like from the Results relationship list, you can review each finding for improvement. There might be a situation that you will find here records that look like duplicates i.e. same record with the same issue reported, this is as it will be a result of two different check runs which was not fixed yet or were not ‘Muted’.
      Muting a finding can be described as marking it as an exception not to be shown in the next checks, sooner or later such exemptions will exist, and their reasons can be various i.e. fix is already prepared or will be in a short period, the record comes from additional application, which is protected, and you need to wait for a fix from vendor.
      A screenshot of a computer

Description automatically generated
    • Dashboard -  a very basic dashboard that displays a couple of full scan statistics and allows filtering them by category and priority
      A screenshot of a computer

Description automatically generated

    Depending on installed applications and plugins as also when the instance had a Go-Live, the number of OOTB checks available will be various. From the same list, you can run a Full Instance scan on demand or set up a scheduled Full Scan. A full scan will run all active checks that are currently available and when it’s done, the scan outcome can be found under the ‘Results’ module.  
    If you would like to run a validation on a single check, you can do it in two ways: by opening the check record, which will have a ‘Test Check Option’, or by adding it to a simple Suite with only a few validations.  
    A screenshot of a computer

Description automatically generated


    The Way to Healthy Development

    Unfortunately, there is no golden way that most of us would like to have. Everything depends on the current situation of the customer’s instance, and each case is individual.

    To achieve the best health state for the instance, we need to go through the whole process and ask ourselves a couple of questions.

    • How old is the instance?
    • How many different delivery teams were involved in its lifecycle?
    • How many customizations were done?
    • What is my current release cycle, and how can a health check be embedded in the development review?
    • How was my instance health check so far, and if it ever was?
    • How much FTE can be assigned for health checks considering the different knowledge and experience of developers, as there will be simple and complex review and remediation requirements?

    When you have answered these questions, you can finally start to plan your Way and take care of instance health quality.

    In the longest scenario what would be recommended is to request ServiceNow Health Scan, If you have never done any checks of the instance it will assure you that you will receive a full report on all applications installed and in the widest spectrum based on the newest updates in ServiceNow platform. What is more let’s remember that the checks which are done here are based on experience gained on all ServiceNow customers.

    ServiceNow Health Scan can also be a great base start for the implementation of Instance Scan Functionality.

    The report received will provide you with additional check examples, definitions, and links to best practice guides. It will not contain direct check logic, but based on that, developers can recreate these checks if required in the customer’s instance.

     When you have the report, it will require some time to verify what are the top priority enhancements, what level of knowledge is required to implement the change, predict the required time allocation and schedules, set some milestones to achieve the required level of health, and plan it accordingly in your current development backlog.  Unfortunately, if your customer has never done such a Health check, it may require allocating a lot of resources, and this quite often becomes a blocker, even though if the customer is in such a situation, there should be a question asked: what will happen if you do not proceed with these enhancements and changes?


    Assuming that a health check was performed, during remediation, you should start implementing and embedding the Instance Scan Application. Each check that was performed and spotted as an issue or enhancement should also be recreated in the customer's instance Check table definitions. This will open new options to act proactively in the development cycle and avoid the same issues from happening in the future.
    ServiceNow customers have their release cycles and processes defined. Development is usually released based on the spring length period, and in some cases, there are additional code review meetings.

    During the release cycle, developers can have a principle that before completing the Update set, they should run a check against changes done.  On the update set form view, there is an OOTB Action strictly for this purpose

    A screenshot of a computer update

Description automatically generated

    When it is clicked, an instance scan is performed against the changes, and the developer can easily identify the issues.

    A screenshot of a computer

Description automatically generated

    Another way would be to prepare a scheduled scan execution, which will run before a code review meeting, and allocate some time for a grooming session on check findings where everyone from the team will share and gain some knowledge to deliver better quality solutions. This could also include a dashboard tailored in line with the customer's release process to allow additional filtering on the change request, release records, or update set list

    A screenshot of a computer

Description automatically generated

    With time, each release will add more value to the environment as it becomes more stable and secure.

     That brings one quite important point: these checks should not be run directly in Production but in a Test or Dev environment, as they could impact performance. The main goal is to avoid and not act after it has already happened.

    Hopefully, that information will encourage you to remember to implement Health checks. After that, you will see the power of Instance checks, as they do not have to focus only on technical parts of the instance but also on any other data validation, i.e., related to security, like text added to some fields based on data security confidentiality, and can help to monitor and sanitize such unwanted entries.

     

    Want to learn more?

    Want to know more about how we can help you take advantages of the ServiceNow platform?