Modeling Third Party Services Used by Application Services

Lyle Taylor · ‎11-08-2023

Hi All,

We have a situation that we are wondering how to best model in the CMDB, especially in relation to CSDM recommendations. We have portions of some apps that rely on 3rd party services such as payment processors for an online store, etc. We are trying to determine the most correct way to represent the dependencies on those external services. We need these represented for both operational and compliance purposes - we need to understand the architecture and dependencies of our applications, and we also need to be able to understand what data is being sent and stored to/in these services for data privacy and governmental compliance purposes. We don't track the data sent and stored in ServiceNow, but understanding the dependency on the services so we can ask the right questions is essential.

For SaaS applications and platforms where we have users directly interacting with the application/platform, we already represent those as Business Applications with associated Application Services. For example, ServiceNow is a Business Application, and our instances are all Application Services. However, in this case, we simply have a service provider that provides an API (or some kind of interface) for us to interact with - no users interact directly with the service. In this scenario it feels less appropriate to represent it as a business application, since there are no "deployed application stacks" for us to track, per se. We could see it potentially represented as a Business Service, or maybe a Technical Service, but both of those feel not quite right as well.

Below is a simple example of what we're dealing with. The Business Application and Application Service represent an in-house developed online store application. It does everything except the payment processing which is handled by a 3rd party service that we have contracted with. We want to be able to represent that payment processing service as a CI so that we can see that our application depends on it. The question is what kind of CI would be best to represent that external service? You could have a similar scenario with other kinds of services such as payroll processing, etc.

Thanks for all feedback!

scott_lemm · ‎11-14-2023

Hello @Lyle Taylor , thank you for your question!
There are key aspects to your use case I want everyone to understand:
1. Data is being sent to a 3rd party service through an API
2. The 3rd Party Service is a contractually obligated Vendor

That said, we want to ensure we can identify those unique aspects to this use case: the API and the 3rd party service. I have drawn our recommendation that takes into account the points above. Note: we are NOT recommending the use of an Application Service for this 3rd Party Service... Why?

One of the aspects of a Service Offering is identifying the Vendor providing said Offering and the contracts associated to the Service. If used within ITSM, there are tracking capabilities available to understand if a Vendor is performing their obligations. In this use case, the Technical Service Offering is a critical object to identify the 3rd Party Service and, if desired, manage them as a Vendor. The API object is a bonus. You mentioned this in the use case and we recently added API as a class within the CMDB. This enables you to identify the APIs (in-house or 3rd party provided) that you depend on. APIs can exist between Application Services (in-house use case) or a Service Offering (3rd party use case).

Regardless if you plan on using our Vendor Management features, this model is the recommended solution from ServiceNow.

Thank you again for the How Would I Model This using CSDM question.

I hope this helps.
Feel free to reach out directly if you have additional questions on this topic

View solution in original post

scott_lemm · ‎11-14-2023

@Stuart Tucker , the API tables were added as part of the CMDB CI Class Model app version 1.49 from the ServiceNow Store. I believe the time frame was September 7th 2023. The version notes contain the following list of API tables:

Core API data model classes:
- cmdb_ci_api
- cmdb_ci_managed_api
- cmdb_ci_api_component
- cmdb_ci_api_frontend
- cmdb_ci_api_backend
- cmdb_ci_api_gateway
- cmdb_ci_unmatched_api_endpoint
Kong API Gateway related classes:
- cmdb_ci_kong_gateway
- cmdb_ci_kong_lb
- cmdb_ci_kong_target

View solution in original post

Stuart Tucker · ‎11-09-2023

Hi Lyle, I think, as with as lot of CSDM, it depends on how you would like to present it. Here are some different approaches:

1. The Business Application list is a strategic inventory of all the things needed to make your business work and provide definitions of your Business Capabilities. On that basis these things should be Business Applications, with an associated Application Service, just like anything else, so that the business capability being provided is recorded.

2. On the other hand, it maybe considered that this is too much for such a small, bespoke element of a service, so you could just create an Application Service and link it to the Online Store Bus App and App Service. An Application Service does not need to have its own separate Business Application, as long as it is linked to something.

3. Another thought is that this represents a whole new world of Integrations and Data Transfer type services which need to specified with dedicated attributes, so maybe it is appropriate to extend a table and create new CI Class for Integrations.

Just my thoughts.

MaggieT · ‎11-13-2023

Hi @Lyle Taylor - I would create an application service to represent 3rd Party Payment Processing service then link it to your Online Store - Prod service. That way when there is an issue this 3rd party service, an incident can be raised against this application service which show Online Store - Prod impacted. You can also have a change raised against this 3rd party service when maintenance is carried out by the vendor to notify your organisation that Online Store - Prod may be impacted. There is no need to link the new application service to CIs.

Hope this helps.

Richard W · ‎11-14-2023

Hi Maggie, can you expand on what class you are creating the application service in and what type of application service it is?

Thanks

scott_lemm · ‎11-14-2023

Hello @Lyle Taylor , thank you for your question!
There are key aspects to your use case I want everyone to understand:
1. Data is being sent to a 3rd party service through an API
2. The 3rd Party Service is a contractually obligated Vendor

That said, we want to ensure we can identify those unique aspects to this use case: the API and the 3rd party service. I have drawn our recommendation that takes into account the points above. Note: we are NOT recommending the use of an Application Service for this 3rd Party Service... Why?

One of the aspects of a Service Offering is identifying the Vendor providing said Offering and the contracts associated to the Service. If used within ITSM, there are tracking capabilities available to understand if a Vendor is performing their obligations. In this use case, the Technical Service Offering is a critical object to identify the 3rd Party Service and, if desired, manage them as a Vendor. The API object is a bonus. You mentioned this in the use case and we recently added API as a class within the CMDB. This enables you to identify the APIs (in-house or 3rd party provided) that you depend on. APIs can exist between Application Services (in-house use case) or a Service Offering (3rd party use case).

Regardless if you plan on using our Vendor Management features, this model is the recommended solution from ServiceNow.

Thank you again for the How Would I Model This using CSDM question.

I hope this helps.
Feel free to reach out directly if you have additional questions on this topic