Entity Based Access

manikandank3877 · ‎07-13-2025

Hello experts,

I’m setting up Entity-Based Access in GRC and running into a weird issue.

I’ve done the following so far:

Installed the Entity-Based Access plugin
Enabled the property: sn_grc_ent_access.enable_entity_based_access
Created an Entity Access Configuration for the Entity Owner

But even with all that, everyone can still see all the entities, not just the owners. 😕

Is there something else I need to do?

SrinivasMeV · ‎07-13-2025

Hi @manikandank3877

The Entity-Based Access feature does not restrict visibility of the entities themselves. Instead, it is designed to control access to records that are related to those entities—such as risks, issues, controls, and similar items.

This means that even after enabling the configuration, all users will still be able to see all entities.

Example:
If you configure access for the entity "Finance Department" and assign access only to the entity owner, then activate the configuration and apply record-level restrictions (e.g., via bulk update), only the owner of the Finance Department entity will be able to view the related records—such as risks, controls, risk response tasks, and issues.

However, the entity "Finance Department" itself will remain visible to all users. This is because the access restrictions apply only to the related records, not to the entities themselves.

christophenow · 4 weeks ago

Have a look here to have a good overview: What's New in Zurich: Entity-based access (EBA) in Risk

And also the Documentation: Entity Based Access

Store: GRC: Entity Based Access - ServiceNow Store

Also note that with the last version 20.1.4 from dec 2025 you finally can easily set up record attribute user access, in addition to Entity based access. (these are exceptions that can see the record, even if EBA is activated.)