auto-generated controls created as published instead of draft, likely caused by ScriptInclude
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7 hours ago
When creating controls through the default GRC framework in ServiceNow, newly generated controls appear in the published state instead of draft, despite no customisations to the process.
Analysis of the environment shows
No dictionary-level overrides directly affect the state.
Business rules (e.g., “handle control generation”) do not explicitly set the state.
No flows or policies trigger automatic state changes.
Controls are not imported from external sources or templates.
Manual creation of a control correctly defaults to draft, suggesting the issue occurs specifically during automatic generation.
Observed Cause
The default script include RiskGeneratorV2StrategyBase (and related GRC script includes) appears to be involved in the automatic control generation process. The exact configuration or logic within these out-of-the-box script includes that causes generated controls to default to published rather than draft remains unclear.
Does anyone know how I could solve this? I want my controls to be created in state "draft".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
6 hours ago
Hi @M4XMU3
When controls are created automatically (through Risk Statements, Control Objectives, or Test templates), the state doesn’t follow the dictionary default or manual “draft” logic. Instead, the state comes from the generation strategy implemented in the script includes — specifically the RiskGeneratorV2StrategyBase and its subclasses (like ControlGeneratorV2Strategy).
That’s why your analysis showed:
- Manual creation = draft (dictionary default respected).
- Automatic creation = published (logic from script include overrides).
Why this happens
Inside these OOTB script includes, there’s a method that does the control record creation. During that process:
- The record is inserted without relying on the table default.
- The state is explicitly (or implicitly via default payload object) set to "published".
This is intentional from ServiceNow’s perspective, because generated controls are assumed to be “ready for assessment” once tied to risk statements.
Options to Fix / Work Around
- Dictionary Default Won’t Help
You already saw this — because the script include payload bypasses the dictionary default. - Business Rule Intercept
Create a before insert Business Rule on the sn_compliance_control (or scoped equivalent) table:
(function executeRule(current, previous /*null when async*/) {
if (current.operation() === 'insert' && current.isNewRecord()) {
if (!gs.isInteractive()) { // only for generated controls, not manual UI inserts
current.setValue('state', 'draft');
}
}
})(current, previous);
This ensures only system-generated controls (non-interactive) get reset to draft.
