ManageEngine ServiceDesk Plus SAAS support is here!

InsightConnect Plugins
1

ManageEngine ServiceDesk Plus Plugin Setup Guide

This guide covers the complete configuration for the InsightConnect ManageEngine ServiceDesk Plus plugin (v2.0.0+). The plugin supports both Cloud (SaaS) and On-Premises deployments with separate authentication methods. Additionally, you can follow along this video for the Cloud Setup Portion:

Create ManageEngine ServiceDesk Plus Connection in Rapid7 Automation

Part 1: Cloud (SaaS) Setup

Cloud connections use Zoho OAuth 2.0 for authentication. You'll need to create a self-client application in the Zoho API Console and generate a refresh token.

Prerequisites

  • A ManageEngine ServiceDesk Plus Cloud account with administrator access

  • Access to the Zoho API Console

  • The technician account used must have appropriate role permissions (see Part 3)

Step 1: Identify Your Data Center and Portal Name

Your data center determines which Zoho OAuth and API endpoints to use.

Find your data center — look at your ServiceDesk Plus Cloud URL:

  • sdpondemand.manageengine.comUnited States

  • sdpondemand.manageengine.euEurope

  • sdpondemand.manageengine.inIndia

  • sdpondemand.manageengine.com.auAustralia

  • sdpondemand.manageengine.cnChina

  • sdpondemand.manageengine.jpJapan

Find your portal name:

Your portal name is in your URL: https://sdpondemand.manageengine.com/app/{portal_name}/

For example, if your URL is https://sdpondemand.manageengine.com/app/acme-corp/, your portal name is acme-corp.

Step 2: Create a Self-Client in Zoho API Console

  1. Go to https://api-console.zoho.com/

  2. Sign in with the Zoho account that has admin access to your ServiceDesk Plus instance

  3. Click Add Client

  4. Select Self Client as the client type

  5. Click CREATE

  6. If prompted, select the appropriate Zoho portal

  7. Record the Client ID and Client Secret — you'll need these for the plugin

Step 3: Generate an Authorization Code

  1. In the Zoho API Console, click on your newly created Self Client

  2. Go to the Generate Code tab

  3. In the Scope field, enter the required scopes based on your needs:

Minimum scope (read + write requests):


SDPOnDemand.requests.ALL

Full scope (all plugin actions including notes and resolutions):


SDPOnDemand.requests.ALL,SDPOnDemand.request_notes.ALL,SDPOnDemand.request_resolutions.ALL

  1. Set the Time Duration to 10 minutes (this is the code expiry, not the token expiry)

  2. Enter a Description (e.g., "InsightConnect Integration")

  3. Click CREATE

  4. Immediately copy the generated authorization code — it expires in the time you selected

Step 4: Exchange the Authorization Code for a Refresh Token

Use the authorization code to get a refresh token. Run this command within the time limit you set in Step 3:

For United States data center:


curl -X POST "https://accounts.zoho.com/oauth/v2/token" \

-d "grant_type=authorization_code" \

-d "client_id=YOUR_CLIENT_ID" \

-d "client_secret=YOUR_CLIENT_SECRET" \

-d "code=YOUR_AUTHORIZATION_CODE"

For Europe data center:


curl -X POST "https://accounts.zoho.eu/oauth/v2/token" \

-d "grant_type=authorization_code" \

-d "client_id=YOUR_CLIENT_ID" \

-d "client_secret=YOUR_CLIENT_SECRET" \

-d "code=YOUR_AUTHORIZATION_CODE"

For India data center:


curl -X POST "https://accounts.zoho.in/oauth/v2/token" \

-d "grant_type=authorization_code" \

-d "client_id=YOUR_CLIENT_ID" \

-d "client_secret=YOUR_CLIENT_SECRET" \

-d "code=YOUR_AUTHORIZATION_CODE"

For Australia data center:


curl -X POST "https://accounts.zoho.com.au/oauth/v2/token" \

-d "grant_type=authorization_code" \

-d "client_id=YOUR_CLIENT_ID" \

-d "client_secret=YOUR_CLIENT_SECRET" \

-d "code=YOUR_AUTHORIZATION_CODE"

For Japan data center:


curl -X POST "https://accounts.zoho.jp/oauth/v2/token" \

-d "grant_type=authorization_code" \

-d "client_id=YOUR_CLIENT_ID" \

-d "client_secret=YOUR_CLIENT_SECRET" \

-d "code=YOUR_AUTHORIZATION_CODE"

Successful response:


{

"access_token": "1000.xxxxxxxx.yyyyyyyy",

"refresh_token": "1000.aaaaaaaa.bbbbbbbb",

"scope": "SDPOnDemand.requests.ALL",

"api_domain": "https://www.zohoapis.com",

"token_type": "Bearer",

"expires_in": 3600

}

Save the refresh_token value — this is what you'll enter in the plugin connection. It does not expire unless revoked.

:warning: The authorization code can only be used once. If the curl command fails, go back to Step 3 and generate a new code.

:warning: The refresh token is tied to the user who authorized it. That user's permissions determine what the plugin can do.

Step 5: Verify the Token Works

Test that your refresh token can obtain an access token:


curl -X POST "https://accounts.zoho.com/oauth/v2/token" \

-d "grant_type=refresh_token" \

-d "client_id=YOUR_CLIENT_ID" \

-d "client_secret=YOUR_CLIENT_SECRET" \

-d "refresh_token=YOUR_REFRESH_TOKEN"

You should receive a response with a new access_token. If you get an error, verify your client ID, secret, and refresh token are correct.

Part 2: On-Premises Setup

On-Premises connections use a technician API key for authentication. This is simpler than the Cloud setup.

Prerequisites

  • ManageEngine ServiceDesk Plus On-Premises installation (version 13008+ recommended)

  • Administrator access to create/manage technicians

  • Network connectivity between InsightConnect (or the orchestrator) and the ServiceDesk Plus server

  • The ServiceDesk Plus server must be accessible via HTTP/HTTPS from the orchestrator

Step 1: Create a Dedicated Technician Account (Recommended)

For least-privilege access, create a dedicated technician account for the integration rather than using an existing admin account.

  1. Log in to ServiceDesk Plus as an administrator

  2. Navigate to AdminUsersTechnicians

  3. Click Add New Technician

  4. Fill in the details:

  • Name: InsightConnect Integration (or similar descriptive name)

  • Email: A shared/service mailbox (optional)

  • Login Name: insightconnect_api

  • Login Permission: Enabled (required for API key generation)

  1. Under Roles, assign a custom role (see Part 3 for permissions)

  2. Under Groups, assign the technician to any groups it needs to operate on

  3. Click Save

Step 2: Create a Custom Role (Least Privilege)

  1. Navigate to AdminUsers & PermissionsRoles

  2. Click Add New Role

  3. Name it: API Integration Role

  4. Configure permissions based on what actions you need (see Part 3)

  5. Click Save

  6. Assign this role to the technician created in Step 1

Step 3: Generate the API Key

Method A — Generate for yourself (if logged in as the integration technician):

  1. Click your profile icon (top-right corner)

  2. Click Generate API Key

  3. Choose expiry:

  • No Expiry — recommended for integrations (avoids key rotation disruption)

  • Custom Date — set a calendar reminder to rotate before expiry

  1. Copy the generated API key

Method B — Generate for another technician (requires SDAdmin role):

  1. Navigate to AdminUsersTechnicians

  2. Click the edit icon next to the integration technician

  3. Under API Key Details, click Generate

  4. Set expiry preference

  5. Copy the generated API key

Step 4: Determine Your Base URL

Your base URL is the address where ServiceDesk Plus is accessible:

  • Standard HTTP: http://sdp-server.example.com:8080

  • HTTPS: https://sdp-server.example.com:443

  • Custom port: https://sdp-server.example.com:8443

The plugin appends /api/v3 automatically — do NOT include it in the base URL.

Test connectivity from the orchestrator:


curl -k "https://sdp-server.example.com:8443/api/v3/requests?TECHNICIAN_KEY=YOUR_API_KEY&format=json"

If you get a JSON response with requests (or an empty list), connectivity is confirmed.

Step 5: SSL Certificate Considerations

  • If your ServiceDesk Plus instance uses a self-signed certificate, set SSL Verify to false in the plugin connection

  • If it uses a CA-signed certificate, leave SSL Verify as true (default)

  • For production, using a valid CA-signed certificate with SSL verification enabled is recommended

Part 3: Permissions Reference

Cloud Permissions (Zoho OAuth Scopes)

Scopes control what the OAuth token can access. Use the minimum scopes needed:

SDPOnDemand.requests.ALL

  • Grants: All request operations (add, edit, delete, close, assign, pickup, get, list)

SDPOnDemand.requests.READ

  • Grants: Read-only request access (get, list)

SDPOnDemand.requests.CREATE

  • Grants: Create requests only

SDPOnDemand.requests.UPDATE

  • Grants: Update/edit requests only

SDPOnDemand.requests.DELETE

  • Grants: Delete requests only

SDPOnDemand.request_notes.ALL

  • Grants: All note operations (add, edit, delete, list)

SDPOnDemand.request_resolutions.ALL

  • Grants: All resolution operations (add, get)

Recommended scope sets by use case:

:eye: Read-only monitoring:

SDPOnDemand.requests.READ

:ticket: Create tickets from alerts:

SDPOnDemand.requests.CREATE,SDPOnDemand.requests.READ

:gear: Full request management:

SDPOnDemand.requests.ALL

:star: Full plugin functionality:

SDPOnDemand.requests.ALL,SDPOnDemand.request_notes.ALL,SDPOnDemand.request_resolutions.ALL

:information_source: The user who authorizes the OAuth token must also have the appropriate technician role in ServiceDesk Plus Cloud. Scopes limit what the token can do, but the user's role further restricts access.

On-Premises Permissions (Technician Role)

On-Premises permissions are controlled by the technician's Role in ServiceDesk Plus. The API key inherits all permissions of the technician it belongs to.

Request Module Permissions

View

  • Required for: Get Request, Get List Request

Add

  • Required for: Add Request

Edit

  • Required for: Edit Request, Assign Request, Pickup Request, Close Request

Delete

  • Required for: Delete Request

Advanced Permissions (Request Module)

Close Request → Close Request action

Assign Request → Assign Request action

Pickup Request → Pickup Request action

Add/Edit Resolution → Add Resolution action

View Resolution → Get Resolution action

Add Note → Add Request Note action

Edit Note → Edit Request Note action

Delete Note → Delete Request Note action

View Notes → Get List Request Notes action

Recommended Role Configurations

:eye: Read-Only (monitoring/reporting):

  • Request Module: View only

  • Advanced: View Resolution, View Notes

:ticket: Ticket Creation (SOAR alert → ticket):

  • Request Module: View, Add

  • Advanced: Add Note

:star: Full Integration (all plugin actions):

  • Request Module: View, Add, Edit, Delete

  • Advanced: Close Request, Assign Request, Pickup Request, Add/Edit Resolution, View Resolution, Add Note, Edit Note, Delete Note, View Notes

Setting up the custom role:

  1. Go to AdminUsers & PermissionsRoles

  2. Click Add New Role

  3. Under Request module, check the permissions listed above

  4. Click Advanced Permissions to expand and configure note/resolution access

  5. Save and assign to your integration technician

Part 4: Plugin Connection Configuration

Cloud Connection

  • Connection Type: Cloud

  • Client ID: 1000.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (from Zoho API Console → Self Client)

  • Client Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (from Zoho API Console → Self Client)

  • Refresh Token: 1000.aaaaaaaaaa.bbbbbbbbbb (from Step 4 curl response)

  • Portal Name: acme-corp (from your ServiceDesk Plus Cloud URL)

  • Data Center: United States (based on your URL — see Step 1)

On-Premises Connection

  • Connection Type: On-Prem

  • SDP Base URL: https://sdp-server.example.com:8443 (your server address)

  • API Key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (generated in Step 3)

  • SSL Verify: true or false (based on your certificate setup)

Data Center Reference

United States

  • API Base: sdpondemand.manageengine.com

  • OAuth: accounts.zoho.com

Europe

  • API Base: sdpondemand.manageengine.eu

  • OAuth: accounts.zoho.eu

India

  • API Base: sdpondemand.manageengine.in

  • OAuth: accounts.zoho.in

Australia

  • API Base: sdpondemand.manageengine.com.au

  • OAuth: accounts.zoho.com.au

China

  • API Base: sdpondemand.manageengine.cn

  • OAuth: accounts.zoho.com.cn

Japan

  • API Base: sdpondemand.manageengine.jp

  • OAuth: accounts.zoho.jp

Part 5: Troubleshooting

Cloud Issues

"Failed to obtain Zoho OAuth access token"

  • Verify Client ID, Client Secret, and Refresh Token are correct

  • Ensure the Data Center matches your actual ServiceDesk Plus Cloud region

  • Check that the refresh token hasn't been revoked (regenerate if needed)

  • Verify the Zoho account that authorized the token still has access

"Authentication failed" (401)

  • The access token may have expired and refresh failed

  • The refresh token may have been revoked — regenerate from Step 3

  • The user's permissions in ServiceDesk Plus may have been changed

"Operation is not allowed" (403)

  • The OAuth scope doesn't include the required permission

  • The technician's role in ServiceDesk Plus doesn't allow this operation

  • Regenerate the authorization code with broader scopes if needed

Authorization code expired before exchanging for refresh token

  • Go back to Step 3, generate a new code, and exchange it immediately

  • The code expires in the time duration you selected (default 10 minutes)

On-Premises Issues

Connection timeout

  • Verify the orchestrator can reach the ServiceDesk Plus server on the specified port

  • Check firewall rules between the orchestrator and the SDP server

  • Test with: curl -k "https://sdp-server:8443/api/v3/requests" -H "authtoken: YOUR_KEY"

"Authentication failed"

  • Verify the API key is correct and hasn't expired

  • Ensure the technician account has login permission enabled

  • Check if the technician account has been disabled

SSL certificate errors

  • If using a self-signed cert, set SSL Verify to false

  • If using a CA cert, ensure the full certificate chain is valid

  • For production, consider adding the CA to the orchestrator's trust store

"Resource not found" (404)

  • Verify the base URL is correct (no trailing slash, no /api/v3)

  • Ensure the request/note ID exists

  • Check that the technician has permission to view the resource

General Issues

"Requester parameter not provided"

  • The Add Request action requires a requester field with at minimum a name value

  • Example: {"name": "John Doe"} or {"name": "john@example.com"}

"API rate limit reached" (429)

  • The plugin has built-in retry with exponential backoff

  • If persistent, reduce the frequency of API calls in your workflow

  • Cloud instances have stricter rate limits than On-Premises

Large IDs showing incorrect values

  • Ensure you're using plugin v2.0.0+ which treats all IDs as strings

  • Earlier versions used integers which caused precision loss with large Cloud IDs

Security Recommendations

  • Least privilege: Only grant the permissions needed for your specific workflows

  • Dedicated account: Use a dedicated technician account, not a personal admin account

  • API key rotation (On-Prem): Set a key expiry and rotate periodically

  • Refresh token security (Cloud): Store the refresh token securely — it provides ongoing access

  • Network segmentation (On-Prem): Restrict which IPs can reach the SDP API port

  • Audit logging: Both Cloud and On-Prem log API activity — review periodically