Entity-based user access in Integrated Risk Management (IRM)

If you’ve spent any time wrangling permissions or building risk and compliance workflows in IRM, you’ve probably run into tricky situations where managing user access feels more complicated than just assigning roles.

 

Maybe you’re supporting multiple business units, regions, or even separate legal entities—all working within your ServiceNow environment. That’s where entity-based user access steps in, or the ability to restrict entity-related records access to designated users only.  

 

Entity-based user access has numerous benefits, including:

• Reducing the risk of unauthorized data exposure and regulatory noncompliance
• Showing only relevant data to users, minimizing security risks, and streamlining the user experience
• Complying with internal policies and regulations
• Adding a security layer on top of access control lists (ACLs) and roles

 

Entity-based user access

An entity is basically people, places, objects, or things that need to be monitored to manage risks, track control compliance and review as part of audit engagements. The entity framework makes up the foundation data of the GRC / IRM solution alongside policies, control objectives, risk statements, and risk frameworks.

 

Think of entity-based access as the ability to add an extra layer of security. Data access is segregated by entity to prevent unauthorized data access, restricting access to related records to designated users only.  For example, the compliance lead in North America won’t automatically be able to view sensitive data from Europe or Asia-Pacific. Entity-based user access ensures that only individuals linked to an entity can view or work with its data.

 

The image below illustrates how users can be associated with entities such as geographies (Asia), divisions (banking or insurance), departments (credits, etc.), so they have access to the data they need to do their job, but no more.

 

 

Importance to IRM users

If you’re managing risk and compliance inside ServiceNow, entity-based access can save you a lot of headaches:

• Enhanced Privacy and Security: Only designated people see the records relevant to their job scope. This makes it easier to comply with privacy laws and internal security policies.
• Cleaner Audits: When auditors ask, ‘who accessed this record?’ you have an auditable answer and you can show that no one outside the right entity had access.
• Fewer Mistakes: In large organizations, users often end up with permissions they don’t need. Entity-based controls reduce the risk of accidental data sharing.

 

How it works (demos and videos)

• Demo showing how admins can update record access based on entities and configure bulk data access. (July 2025) 
• Demo of how an entity-based access configuration framework enables risk teams to tailor data segregation by entity to minimize risk and enhance security. (May 2025)
• On-demand webinars on YouTube
  • Live on ServiceNow: What's New in the Zurich release for Risk Entity-Based User Access (Oct. 2025)
  • Live on ServiceNow: IRM Entity User Access Office Hours (Nov. 2025)

 

Setting up entity-based access 

Follow this four-step process to set up entity access in your organization. Access is adjusted automatically if someone moves to a new job within the organization.

 

 

How does data segregation for entities work?

If a record is EBA- and confidentiality-enabled, a confidential user will be able to access the record even though the user is not part of the EBA. If both are enabled, confidentiality takes precedence.

 

User hierarchy or user group access control cannot be enabled along with entity-based access and vice versa.

 

Records created by a persona or opened by a persona will always have access to that record.

 

 

 

Bulk updates

You can use the bulk access update configuration to preview impacted access restrictions before changes are applied.  You can view entities and associated record types to define the scope for access restriction.

 

You can also preview impacted records by type and evaluate the scope and impact before applying changes. A summary view displays the number of records impacted per record type; detailed result summaries and logs provide full auditability and traceability.

 

Future access rules enable users to specify record types or tables that require continuous enforcement of entity-based access. You also have the flexibility to apply access restrictions to one or more records and deactivate access as needed.

 

 

Maintenance of entity-based access

• Link to HR Data: If you can, automate entity assignments based on accurate HR data. It saves hours of manual work and helps keep things up to date.
• Review regularly: as people switch roles or teams, ensure their entity assignments are updated accordingly. Even a yearly check can prevent surprises.
• Coordinate with other tools: if you’re juggling other identity systems (like Okta or Azure AD), it helps to sync entities so everything matches up.
• Stick to least privilege: only link people to entities they need. More access isn’t better.
• Use Workflows: ServiceNow’s workflow engine can help automate permission changes when someone joins or leaves an entity.

Benefits and impact

With entity-based user access in ServiceNow, you’ll notice:

• Easier Permission Management: Say goodbye to custom roles for every minor situation. When a user changes teams, just update their entity link so they only see what they should.
• Better Security: Because data access is limited, if someone’s account gets compromised, the impact is much smaller.
• Simpler Compliance: Showing regulatory compliance is easier when access is automatically tracked by entity.

More short-form questions and answers

 

What is entity-based user access?
Entity-based user access is a way of granting permissions based on specific organizational entities, like processes, applications, departments, or subsidiaries, so users only see information relevant to their part of the business.

 

Why does entity-based user access matter?
It helps keep sensitive data safe, prevents unnecessary access, and makes sure people only work with information that’s useful to their job.

 

How is it used in daily business?
Entity access lets teams see just their own risks, incidents, or compliance items and makes workflow approvals or reports more focused and efficient.

 

What benefits does this approach offer?
It improves security, keeps operations organized, reduces accidental data leaks, and helps with audits and compliance checks. So that only the right user will access the right data. 

 

How does it change normal operations?
People don’t get overwhelmed with extra info, can act faster on relevant records, and permissions are easier to update when the company grows or restructures.

 

How does this work with other access control (ACL) software?
Entity-based access usually works alongside tools like Active Directory or IAM systems to sync permissions and track user activity across different parts of the business.

 

What should I watch out for when setting it up?
Make sure your entity structure is mapped accurately, keep documentation up-to-date, and regularly review access as your organization changes.

 

How often should entity-based permissions be reviewed?
Plan on regular check-ins, especially after big changes like mergers or reorganizations, to keep access aligned with how your business works.

 

Can entity access and role-based access work together?
Absolutely. They’re often combined so users have the right level of access (“what”) in the right place (“where”) in the organization. Role-based access will continue to act as the primary access provider to a table or data. Entity-based access will be applied in addition to role-based access.

 

Any advice for getting started?
Automate wherever possible to sync user info, document policies clearly, and test permissions thoroughly to catch any gaps or overlaps.

 

If we enable entity-based access, will it override the existing configuration for confidentiality? 

No, entity-based access will not override the confidentiality feature. Confidentiality takes precedence over entity-based access. This means that even if a user is not part of the entity-based access configuration, they will still be able to access a confidential record if they have the necessary ACL/Role access to the record. 

 

When should we use entity-based access or confidentiality? 

Confidentiality is a record-level access control that allows users to access a confidential record only if they are designated as confidential users for that record.  Entity-based access controls groups of records related to an entity. Users in the entity-based access configuration can access all related risks, controls, issues, etc., for that entity. 

 

Can we use both confidentiality and entity-based access at the same time? How does the system prioritize? 

Yes, both confidentiality and entity-based access can be used at the same time. Confidentiality takes precedence over entity-based access. So even after entity-based access is enabled and configured, it will not affect the confidential records and confidential users will continue to access the records in the same way as they are now.  

 

For more on entity-based access in ServiceNow Risk products, search the GRC Community forum for articles, demos, and discussions.