Clean up GRC Profiles and Profile Types

JahanzebB
Mega Guru

We are in the process of re-invigorating our GRC Data. As a part of this, we need to clean up the GRC Profiles and GRC Profile Types. 

As an example, we have 4 Profile Types and 40,000+ Profiles under each profile type. There are several items that are repeated with the same profile name.

 

Are these auto-generated by a script? How do we clean up the profiles and avoid generated thousands of records? 

https://docs.servicenow.com/bundle/kingston-governance-risk-compliance/page/product/grc-policy-and-compliance/concept/profiles-policy-compliance.html

Thanks,

JB

 

1 ACCEPTED SOLUTION

Is there any chance that GRC was installed prior to the Istanbul Version?  There were major architectural changes that were made in that require a migration.  There is even docs on how to migrate - here is a link to those:

https://docs.servicenow.com/bundle/istanbul-governance-risk-compliance/page/product/it-governance-ri...

I think I agree with you on the filter that was built - that looks like an infinite loop.  I do not understand why it would have been built that way.

What I would do is to first inactivate those four Profile Types. Do that by deleting the Profile Filter on each of those Profile Types.  If you don't do that, then when you do what I am going to tell you next - I think it will just start regenerating the profiles.

Next you want to go to the All Profiles modules and delete (yes, hard delete all the profiles).  I would do this in small batches - because there is a lot of processing that is going to happen when you do this.  I just deleted 3 profiles from my test system from the list view - and I got this pop-up message:

find_real_file.png

So, what it is going to do is go and retire these 7 risks and 12 controls.  That is what will happen on your system.

 

Best Practice for Profile Types is a long conversation. It varies by customer and what you are trying to do.  Maybe of the holidays I will write an article on how to select what you will use for Profile Types and why.  In general, the Profile Type should represent the groups/people that will be managing/owning the controls and risks.  That could be based on departments, or locations or servers or applications, etc.  Lots of choices.

View solution in original post

10 REPLIES 10

Is there any chance that GRC was installed prior to the Istanbul Version?  There were major architectural changes that were made in that require a migration.  There is even docs on how to migrate - here is a link to those:

https://docs.servicenow.com/bundle/istanbul-governance-risk-compliance/page/product/it-governance-ri...

I think I agree with you on the filter that was built - that looks like an infinite loop.  I do not understand why it would have been built that way.

What I would do is to first inactivate those four Profile Types. Do that by deleting the Profile Filter on each of those Profile Types.  If you don't do that, then when you do what I am going to tell you next - I think it will just start regenerating the profiles.

Next you want to go to the All Profiles modules and delete (yes, hard delete all the profiles).  I would do this in small batches - because there is a lot of processing that is going to happen when you do this.  I just deleted 3 profiles from my test system from the list view - and I got this pop-up message:

find_real_file.png

So, what it is going to do is go and retire these 7 risks and 12 controls.  That is what will happen on your system.

 

Best Practice for Profile Types is a long conversation. It varies by customer and what you are trying to do.  Maybe of the holidays I will write an article on how to select what you will use for Profile Types and why.  In general, the Profile Type should represent the groups/people that will be managing/owning the controls and risks.  That could be based on departments, or locations or servers or applications, etc.  Lots of choices.

Jan, 

 

Thank you so much for the additional information. I verified and our Production instance does not use the legacy GRC plugin. I believe the legacy GRC  plugin ID is (com.snc.governance). Here is what we have for active Plugins. 

 

find_real_file.png

 

The Steps for inactivating the Profile Types and cleaning up the data were exactly what I need. I can now see where you were going with the question on retiring Controls and Risks. The short answer is, Yes we plan on retiring all of the Controls and Risks currently in our Production instance. 

As you can probably figure out from our infinite loop scenario, we have several thousand Controls that will be retired. 

 

I have a much better understanding of what tables can be used to build the profiles. Also took a look at some of the Profile Types created within ServiceNow demo data. So if we develop Policy Statements around information security, then I believe including profile types that are related to CMDB Data Centers, Servers, etc would be a good Profile Type. 

So if I understand this correctly, the goal should be to line up Profile Types with Groups, System Owners, Systems, etc that could be included in an audit plan. By using GRC, we can confirm these Profile Types meet requirements defined in our Policy Statements and the Controls defined for our organization are effective. Let me know if I missed something here.   

 

 

find_real_file.png

 

Thanks again,


JB

Sounds like you are on a good path!

Hi, wondering if this is still the best way to clean things out for a New York implementation? Wanting to clean up a Dev system as learning takes place. 

 

jing3
Mega Guru

Yes, profiles are autogenerated via Profile type. Adjusting the "profile filter" for each profile type will reduce the number of active profiles (it will mark those no longer needed as retired). When you adjust the existing profile filter, one can use the refresh to view the change. There clean up may take some time for the background script to complete. Or you can experiment the process via create a new profile type and adjust the profile filter to control the number of new profiles created. 

Jing