- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
an hour ago
Regulatory change is frequent and organizations must constantly adjust policies and procedures to stay compliant.
The Policy Authoring & Redlining capability in the IRM Policy and Compliance Management app gives you the ability to connect your policies directly to Microsoft Office 365 (OneDrive, SharePoint) or Google Drive so that your compliance teams can draft, review, and redline in familiar tools while maintaining full governance and audit trails in the ServiceNow platform.
It’s a simple process. Compliance teams edit and redline in Microsoft Word or Google Docs. Changes flow back into the ServiceNow policy record automatically, and the policy record locks on approval to create a defensible publishing trail.
Watch the how-to video on our YouTube Speed Learning channel. Policy Authoring & Redlining with Office 365 and Google Drive
How it works: Policy lifecycle
The policy lifecycle is owner-driven with four key personas:
- Owner — Starts a new policy or reopens a published one on the annual review cycle and invites contributors.
- Contributor — Co-authors the policy with the owner in O365 Word on OneDrive or SharePoint, using tracked changes, or in Google Docs.
- Reviewer — Adds edits, comments, and tracked changes once the draft is ready.
- Approver — Reviews and approves then publishes; the policy is finalized and ready for the next annual review.
Policy phases
The policy moves through these phases:
- Draft/edit — Owner and contributors collaborate in Word on the cloud provider.
- Review /markup — Reviewer adds comments and suggested changes.
- Refine — Owner incorporates review feedback.
- Publishing checklist — Owner finalizes document, reviews formatting and attachments, then requests approval.
- Approval — Approver reviews and approves; policy is published and synced to ServiceNow.
What it means for you
Policy compliance requires adaptability and flexibility to maintain compliance at all times. Cloud-connected authoring delivers:
- Increased agility — Edit policies in familiar tools, not custom interfaces.
- Version history — Access all document versions live on OneDrive or SharePoint; every change is auditable.
- Defensible audit trail — Records policy state transitions, approvals, and PDF attachments in ServiceNow.
- Multi-stakeholder collaboration — Provides seamless review and approval by owners, contributors, and reviewers.
- Regulatory readiness — Satisfies compliance requirements accessible PDFs and two-layer audit (ServiceNow + cloud provider).
Cloud providers
ServiceNow supports three cloud providers for policy document authoring and redlining:
- Microsoft OneDrive — Best for M365 environments; OAuth or personal authentication.
- Microsoft SharePoint — Same as OneDrive; supports multi-site routing in newer releases.
- Google Drive — Documents created as Google Docs
FAQ
Q: Can policies be created from scratch in ServiceNow, or only linked from the cloud?
A: Both. You can create a new policy in ServiceNow and have it immediately created in your cloud provider, or you can connect an existing document from O365/Google Drive to bring it under governance in ServiceNow.
Q: What happens to version history if a contributor is off-boarded?
A: Version history is preserved in the cloud provider (O365 or Google Drive). If using OAuth App authentication (recommended for enterprise), the central service account maintains ownership so documents don't orphan on user departure.
Q: Is the published PDF locked and immutable?
A: Yes. The attached PDF is read-only and serves as the approved, published version for compliance and distribution. The policy record can only move to a new draft state during the next review cycle.
Q: Do I need to set up a connection for each cloud provider separately?
A: For each cloud provider, you register a Microsoft Azure active directory (AD) app or a Google service account, configure OAuth scopes, and set up the spoke connector in IntegrationHub. Multi-site SharePoint requires Microsoft Azure API permissions for each site.
Q: What audit trail is available?
A: We provide a two-layer audit:
- Layer 1 is ServiceNow workflow history (state transitions, approvals, timestamps).
- Layer 2 is the cloud provider's native revision history (O365 or Google Drive stores every document change).
Q: How long does an OAuth token remain valid, and what happens when it expires?
A: OAuth tokens are cached and refreshed automatically by the IntegrationHub spoke. Refresh tokens allow background renewal without user re-authentication. If a token expires and can't be refreshed, ServiceNow halts document operations and logs an error in the GRC Cloud logs. Regenerate the token via the credential record's 'Get OAuth token' action to re-authenticate.
Q: What specific API permissions does the Document Service Framework require, and can I use least-privilege scopes?
A: Least-privilege scopes depend on the cloud provider.
- Microsoft OneDrive requires Files.ReadWrite (not All). SharePoint requires Sites.Read.All for site metadata.
- Google Drive requires Drive scope for full redlining. Broader scopes (e.g., Files.ReadWrite.All) work but violate security best practices. Grant only the minimum scopes required and add them in both Microsoft Azure AD and the ServiceNow Application Registry OAuth entity record.
Q: How real-time is document synchronization between Microsoft O365 and ServiceNow? What's the refresh interval?
A: Sync is near-real-time when users interact with the document in ServiceNow (e.g., fetching redlined content). Content changes in O365 Word are immediately available. ServiceNow polls for updates on policy text sync via the Document Service Framework's scheduled flows (typically every few minutes). No manual refresh needed, but heavy edit volumes in O365 Word may briefly lag in the ServiceNow UI before the next sync cycle.
Q: What happens when multiple contributors edit the same policy document simultaneously in O365 Word, and how are conflicts resolved?
A: O365 Word handles simultaneous edits via co-authoring on OneDrive/SharePoint. ServiceNow tracks who made which change and when via the document access records (sn_irm_shared_cmn_document_access table).
When syncing content back to policy_text, ServiceNow merges edits based on timestamp and change ownership. In rare conflicts, the most recent accepted edit wins. Always review tracked changes in Word to avoid losing review comments.
Q: Can policy authoring workflows be automated or integrated with existing approval processes and routing rules?
A: Yes. ServiceNow's workflow automation (Flow Designer, workflows, business rules) can trigger on policy state changes (draft → pending approval). You can route documents to specific approvers based on policy type, owner department, or regulatory scope. Document access updates (adding/removing contributors, reviewers, approvers) are managed using business rules and automatic access grants tied to workflow state transitions.
Some useful resources
Policy Authoring & Redlining with Office 365 and Google Drive (video tutorial on YouTube)
Policy and Compliance Management
Policy Authoring and redlining in the Compliance workspace
Prerequisites to enable policy redlining
Create a policy document in Microsoft SharePoint
Create a policy document in Microsoft OneDrive
Authentication and document access in policy authoring
Complete publishing checklist and request approval
Set up Microsoft OneDrive spoke
Full personal-authentication setup steps: KB3075954 (Now Support login required)
Integrate the ServiceNow instance and your Microsoft Entra account
Community and enablement
- ServiceNow GRC Community — Speed Learning articles and recorded webinars
- IRM Policy and Compliance Mgmt. Process Guide on Best Practices portal (formerly Now Create)
For more information, visit the ServiceNow IRM Policy and Compliance Management Product Documentation or join the GRC Community to discuss policy governance with other ServiceNow practitioners.