--- title: Known issues and limitations description: The following are known issues or limitations with the ServiceNow Connector. component: servicenow page_id: servicenow:release_notes:pf_servicenow_connector_known_issues_and_limitations canonical_url: https://docs.pingidentity.com/integrations/servicenow/release_notes/pf_servicenow_connector_known_issues_and_limitations.html revdate: June 25, 2024 section_ids: known-issues: Known issues known-limitations: Known limitations --- # Known issues and limitations The following are known issues or limitations with the ServiceNow Connector. ## Known issues * Avoid naming `department` and `location` objects with the same format as ServiceNow system IDs, such as `972456281bcc3010dbb0dd7ebd4bcbcc`. This might cause users to be provisioned with an incorrect department or location. ## Known limitations * Attributes * Due to limitations in PingFederate, user attributes cannot be cleared after they are set. * Due to a limitation with PingFederate 9.0 and 9.0.1, the `manager` attribute cannot be mapped and used. There is no impact to other functionality. * When using the manager attribute, if the user's manager is not managed by the provisioner, the user will be created with an exception thrown. PingFederate will continue to retry the user indefinitely. * User role values must contain only URL-safe characters. * Due to a limitation in the ServiceNow API, the ServiceNow Connector requires additional security permissions to be able to remove roles from users. If you try to remove a role from a user without granting these permissions, your data store will become out of sync with ServiceNow, and an error will appear in `provisioner.log`. You can grant the permissions as shown in [Adding the Ping Identity provisioning role in ServiceNow](../setup/pf_servicenow_connector_adding_the_ping_identity_provisioning_role_in_servicenow.html). * Provisioning * PingFederate uses the `Username` attribute to synchronize users between the data store and ServiceNow, as described in [User management](../pf_servicenow_connector_user_management.html). When attempting to provisioning a user that does not have a `Username`, PingFederate logs an error in provisioner.log and keeps trying until the `Username` is present. * When provisioning users, the username attribute must only contain URL-safe characters. * If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create. * For `department` objects that contain the `^` character in the name, the ServiceNow API causes the creation of multiple departments with the same name. * For the `department` and `location` objects, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as `Accounting` and `accounting`), PingFederate provisions the user with an empty `department` or `location` attribute and logs an error in provisioner.log. * Deprovisioning * When an LDAP user is deleted in a targeted group distinguished name (DN), the provisioning connector does not propagate the deletion until a new user is added to the group. This limitation is compounded when the **User Create** provisioning option is disabled. For solutions, see [SaaS provisioner does not remove the user](https://support.pingidentity.com/s/article/After-deleting-an-AD-user-account-SaaS-provisioner-does-not-remove-the-user-in-the-next-provisioning-cycle-when-Group-DN-is-specified) in the Knowledge Base. * Performance * When synchronizing user roles, PingFederate performs multiple calls to the ServiceNow API. This can impact provisioning performance. * When using the default mapping for the manager attribute, the process for adding a manager involves an Active Directory search, followed by a database lookup to get the ServiceNow manager ID. This can impact provisioning performance. To improve performance, you can use a custom attribute mapping to link the manager attribute to a manager's email. * Configuration * When using multiple channels, the same `Username` mapping is required to coordinate manager assignments across different channels.