Fetching dependencies from the CMDB and BIA

  • Release version: Yokohama
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fetching dependencies from the CMDB and BIA

    Starting with the Yokohama release, ServiceNow Operational Resilience enables customers to fetch and update service dependencies from both the Configuration Management Database (CMDB) and Business Impact Analysis (BIA) records. This capability helps keep dependency data current, which is essential for accurate operational risk and resilience management.

    Show full answer Show less

    Fetching Dependencies from CMDB

    The Operational Resilience application uses the Data Relationships Framework (app-grc-relationship-config), installed by default, to retrieve dependencies from the CMDB via an API. To enable this, administrators must activate the main node configuration labeled “Service (CMDB)” within the framework.

    When dependencies are fetched:

    • The application searches for an existing entity corresponding to each dependency.
    • If an entity exists and belongs to a recognized Operational Resilience entity type, it is linked downstream to its parent entity.
    • If the entity exists but is not assigned to an entity type (e.g., Facilities, People, Suppliers, Technology), users must manually assign it to the appropriate type within Operational Resilience.
    • Dependencies without corresponding entities are skipped and not created automatically.

    The document provides an example where a business service “Windows mobile” has dependencies such as “OWA-SD-01” and email server entities, illustrating how these are structured downstream within the service hierarchy.

    Fetching Dependencies from Business Impact Analysis (BIA)

    If Business Continuity Management (BCM) applications are installed, Operational Resilience also monitors and fetches dependency updates from BIA records under these conditions:

    • The BIA record must be in the Approved state and not Expired.
    • The dependency group within the BIA must be marked as completed.
    • The “Applies to” field in the BIA must correspond to a business process entity recognized in Operational Resilience.

    Fetched dependencies undergo similar validation as with CMDB dependencies—only active entities with valid pillars and recognized entity types are linked downstream.

    Important Rules and Manual Updates

    • Dependencies without existing entities are ignored; Operational Resilience does not create new entities automatically.
    • Inactive entities, or those without pillars or valid entity types, are ignored.
    • If dependencies do not belong to predefined entity types, users must manually add them to the corresponding entity type.
    • Administrators and managers have the option to update dependencies manually instead of relying solely on scheduled jobs.

    Data Relationships Framework Support

    The integration leverages the Data Relationships Framework’s main node configuration. Administrators should refer to the framework documentation to understand how to create and manage main node configurations effectively for smooth dependency fetching.

    You can fetch the dependencies for the services or business services from CMDB in Operational Resilience. Similarly, when the BCM applications are installed, the Operational Resilience scheduled job also monitors for the changes in the business impact analysis (BIA) dependencies and fetches the dependency updates.

    Fetching the dependencies from CMDB for the services

    Beginning with the Yokohama release, the Data Relationships Framework supports the Operational Resilience application with the underlying framework to fetch the dependencies from CMDB. The Data Relationships Framework (app-grc-relationship-config) is installed with the Operational Resilience application by default. The CMDB dependencies are retrieved by calling an API from the Data Relationships Framework.​

    To get the CMDB dependencies, the Operational Resilience administrator must activate the main node configuration, labeled as Service (CMDB) in the Data Relationships Framework first.​

    For each retrieved dependency, the Operational Resilience application searches for an existing entity first. If there is no existing entity, the dependency is skipped. If there is an existing entity and the entity belongs to any entity type in Operational Resilience, it is added to the downstream of its parent’s entity. If the entity does not belong to any entity type, such as Facilities/People/Suppliers/Technology, you must add it manually to the corresponding entity type in Operational Resilience.​

    The following example shows a sample CMDB relationship setup for a business service. When the service Windows mobile updates its dependencies, the entity of OWA-SD-01 gets added to the downstream of its entity, IronMail-SD-01 and IronMail-SD-02 gets added to the downstream of the Email child service entity.

    Table 1. Sample relationship setup for a business service
    Business service Associated dependency, business process, and business service: Email Process and dependencies associated with business service: Email
    Windows mobile
    • Dependency: OWA-SD-01
    • Business process: Inbound payment validation
    • Business service: Email
    • Process: Fraud_escalation
    • Dependency 1: IronMail-SD-01 (The table is cmdb_ci_email_server.)
    • Dependency 2: IronMail-SD-02 (The table is cmdb_ci_email_server.)

    Fetching the dependencies from the business impact analysis (BIA)

    When the BCM applications are installed, Operational Resilience fetches the BIA's dependency update if the BIA's Applies to field is a business process used in Operational Resilience.

    The following conditions must be met for pulling the BIA dependencies in Operational Resilience:
    • The BIA has to be in the Approved state.
    • The BIA should not be in the Expired state.
    • The dependency group has to be completed.
    Note:
    Only when the Applies to field of the BIA record matches with any business process within the Business Processes Entity Type, its dependencies are fetched by the scheduled job.

    For each fetched dependency, the Operational Resilience application looks for an existing valid entity first. If the dependency has an existing valid entity and the entity belongs to any entity type in Operational Resilience, it is added to the downstream of its parent's entity.

    To fetch the CMDB dependency updates or BIA dependency updates, the following conditions are followed:
    • If there is no entity for the dependency, it is skipped. Operational Resilience does not create an entity for the dependency.
    • If a dependency entity is inactive, it is ignored.
    • If a dependency entity is active, but it has no pillar, it is ignored.
    • If a dependency entity is active and has a pillar, but it does not belong to any Operational Resilience entity type, it is ignored.

    Adding the dependencies manually

    If the entity does not belong to an entity type such as Facilities, People, Suppliers, Technology, Operational Resilience users must add it to the corresponding entity type manually.​ Instead of using the scheduled job, Operational Resilience administrators and managers can update the dependencies manually.

    Support for main node configuration in Data Relationships Framework

    For information on the Data Relationships Framework and main node configuration, see Data Relationships Framework and Create a main node configuration record.