Can one entity have multiple classes?

Varun Sai · ‎01-31-2025

We are working on a solution in IRM where I have to create an entity type and an entity filter to generate entities from CMDB table based on company and class like Business application. But there is already an OOTB Business applications entity type which has all the entities generated for Business applications.

The entities generated have picked the OOTB business application entity class and this entity class has 'IT Risk Assessment' as the Primary risk assessment methodology. I built a separate RAM and I want to update that as the Primary risk assessment methodology on the Business Application entity class.

My question is if I get requirements for a different RAM risk scoring on these business applications entities how will I change the Primary risk assessment methodology as it have only one RAM updated at entity class level.

Since even though we can create multiple entity types and entity filter and generate entities, the entity can have only one entity class which picks up the RAM to do the assessment on.

How to better solution this as we will have different Business applications entities, and may be have more than 2 RAMs built based on the requirement of Risk scoring logic. how to make the entity pick the class with which we have the Entity class Primary risk assessment methodology.

@Jan Spurlin adding you for your visibility, if you can review once.

Jan Spurlin · ‎02-02-2025

@Varun Sai - I think a few details about the primary risk assessment info that appears on the entity may help.

While looking at an entity there is a primary RAM identified, but that does not mean that this is the ONLY RAM that can be used for this risk.

On the RAM, you can identify multiple classes that can use that RAM. So, you can have multiple RAMS that can be used to assessment risks that have entities in the Business Application class.

If you are looking at the assessments for an entity on the platform you need to add a column - to the "Risk assessments" related list. Add the risk assessment methodology value. This is done for you if looking at the entity on the workspace (see image).

In this example I have an entity that is in the class of company - and I have assessed it using two different RAMs. They both show up in the related list. And on the Aggregated risks related list you will see a summary of these two different RAMs.

The purpose of the fields for the primary RAM that are ON the entity record is because if someone wants to know the risk of an entity - there is no way to combine risk ratings from different RAMs. That would be like trying to combine apples and oranges. So, they needed to identify which rating methodology was the best one to look at if wanting to know the risk of that entity. The other information is available in the related lists.

Let me know if that helps.

View solution in original post

Jan Spurlin · ‎02-02-2025

@Varun Sai - I think a few details about the primary risk assessment info that appears on the entity may help.

While looking at an entity there is a primary RAM identified, but that does not mean that this is the ONLY RAM that can be used for this risk.

On the RAM, you can identify multiple classes that can use that RAM. So, you can have multiple RAMS that can be used to assessment risks that have entities in the Business Application class.

If you are looking at the assessments for an entity on the platform you need to add a column - to the "Risk assessments" related list. Add the risk assessment methodology value. This is done for you if looking at the entity on the workspace (see image).

In this example I have an entity that is in the class of company - and I have assessed it using two different RAMs. They both show up in the related list. And on the Aggregated risks related list you will see a summary of these two different RAMs.

The purpose of the fields for the primary RAM that are ON the entity record is because if someone wants to know the risk of an entity - there is no way to combine risk ratings from different RAMs. That would be like trying to combine apples and oranges. So, they needed to identify which rating methodology was the best one to look at if wanting to know the risk of that entity. The other information is available in the related lists.

Let me know if that helps.

Varun Sai · ‎02-05-2025

Thank you very much for the explanation @Jan Spurlin. One more question, I have seen we can have as many entity types with different entity filters but the only one entity will be generated will be added under the entity type related list.

Hope I made sense like if we take the Business applications table and create multiple entity types with different entity filters, the entity would have generated but it just shows under all the entity types we have created under.

I have seen when testing that if there is no Risk Assessment methodology defined at entity level under the Aggregated Risk scores related tab. it's not picking the Risk assessment methodology on the Risk.

Jan Spurlin · ‎02-06-2025

I'm not sure I understand your last statement. Let me take that statement apart and maybe you can clarify for me.

If there is no RAM defined at entity level (what do you mean by entity level?) RAMs are defined for entity classes. And every entity has ONE class.

- For example, look at this scenario: an entity called "MS Outlook" has the entity class "Business Application"

assigned to it.

- If there are no RAMs where the entity class "Business Application" is listed in the Applicable entity classes field on the a RAM

- then any risks where MS Outlook is the entity will not be able to be assessed.

And the second half of that sentence is confusing - Aggregated risk scores appear on the risk statement, not the risk. And if no risks for that risk statement have been assessed, then nothing will appear on the risk statement.

Tessa_Young_27 · ‎05-25-2025

I want to make few entities false, but they are associated with 2 entity types . Between the 2 entity types 1 is active true and one is active false.Because of the 2nd entity type active true, I'm unable to make them false. could you please help how to make them false.