Automating Entity Creation from CMDB Tables in Legacy GRC

thomasanton · 3 weeks ago

Hi everyone,

We're currently working with a legacy version of ServiceNow GRC and have started leveraging Entity Types and filters to create entities from two CMDB tables:

Business Applications (cmdb_ci_business_app)
Application Services (cmdb_ci_service_discovered)

We've defined entity types for each and are using filters to generate entities based on attributes like environment, location, and service tier. This has helped us build a more structured view of our risk landscape.

However, we're now looking to automate the creation and maintenance of these entities—especially as our CMDB grows and changes frequently. Since we're not yet on the latest GRC version with Composite Entities, I'm wondering:

What are the best practices for automating entity creation in legacy GRC?
Can we use scheduled jobs, scripts, or flows to dynamically generate entities from filtered CMDB data?
Has anyone implemented a similar setup and found a scalable solution?

Any guidance, examples, or documentation links would be greatly appreciated!

Best regards,

Thomas

Matthias Ferstl · 3 weeks ago

So lets try to troubleshoot that:

Your filter finds objects meeting the condition✔️
Your Entity Type is active ❓
Checking the conditions of the UI might bring us one step closer. Conditions are:
- current.need_update &&
- gs.hasRole('sn_grc.manager') && -> I assume you are logged in as (at least) grc_admin
- !current.processing_profiles
- Check XML of a entity type
If you cant find a hint there, also check your prerequisites for the item generation queue, because if there are still no entities its the next step to check if a missing one is blocking the process: Using the item generation process to generate controls and risks

Please mark answers (not only mine) as helpful if they were
and "accepted solutions"This motivates others to take part, post solutions and find answers. Thanks! - Mat

Rafael Cardoso · 3 weeks ago

I will try to answer your questions individually.

Since we're not yet on the latest GRC version with Composite Entities. What should be the way?
Composite Entities is a very complex plugin that completely changes how entities work. It was designed for advanced and complex scenarios. Since you’re still getting started, my advice is to stick with the basic setup for now.
What are the best practices for automating entity creation in legacy GRC?
When automating entity creation in legacy GRC, the best practice is to use the Entity Type with an Entity Type Filter which allows entities to be automatically generated based on specific conditions. It is essential to ensure that the CMDB data is accurate and up to date, particularly key attributes such as Owner and Active status. Keep in mind that if a CMDB record becomes inactive the corresponding entity in GRC will automatically be retired helping to maintain alignment between the systems.

My advice is to make a diagram and verify what is the level of granularity you need. Sometimes been specific makes it easier to maintain. By been specific and not too generic you can enable a more precise filtering and avoid unnecessary entities.
Has anyone implemented a similar setup and found a scalable solution?
Yes. You want Business Applications and Applications Services right?

I would start to use the filters:
active = true
install_status = In Production
managed_by is not empty
it_application_owner is not empty
support group is not empty
supported by is not empty

After reviewing the results, if you’re still getting too many records, refine the filter conditions. Narrowing the criteria helps ensure that only the intended entities are created, keeping your GRC system clean and accurate.

Raf

Helpful post? Don’t forget to bookmark it, give it kudos, or mark it as the answer to help the community grow!