Configuration Item in Policy Exception

David Boom · ‎02-03-2025

Hi,

On policy exception form, there is a field to select Configuration Item. What relevance this field have in lifecycle of policy exception?

Sandeep Rajput · ‎02-03-2025

@David Boom

The Configuration Item (CI) field on a Policy Exception Form is relevant because it helps track which IT assets (applications, servers, databases, etc.) are impacted by the exception Its relevance in the lifecycle of the policy exception includes:
1. Identifies which CIs are affected by the exception.
2.Some exceptions may require different levels of approval depending on the criticality of the CI.
3. Enables tracking of exceptions at the CI level, useful for audits and compliance reviews.
4. When the policy exception expires, the CI details can be used to verify if the system has returned to compliance.
5.Ensures consistency in tracking policy exceptions against enterprise assets.

David Boom · ‎02-03-2025

Thanks @Sandeep Rajput for the quick response. How can we select multiple CI's in one go? Is it ok to make custom field with list type? With that disturb any OOTB functionality.

Connor Levien · ‎02-04-2025

@David Boom generally you are better placed to make entities for the CIs, and requirements from the policy as controls for each of the entities. That is the OOTB intended design for policy exemptions.

The CI field on the exemption is something that comes from the Core Task table which it extends and isnt normally used in the process. Following the approach I defined above takes advantage of more of the IRM capabilities and allows for multi selecting of controls which allows you to tag multiple CIs

Tom_T · ‎02-10-2025

Always depending on what the current use case/sveanrio is. But I do agree that assigning risks to entity types is a good way to assign a risk to a group of CIs that have the same characteristics and are impacted by the risk.

See ServiceNow documentation for more details -> Entity Scoping