Fill assessment instance from catalog item variables

jwalk_yota · ‎10-29-2024

I have a catalog item that triggers a risk identification under certain conditions. The goal is to have the catalog item variables fill the questions on the assessment, as they are a 1:1 match. Wrote an afterUpdate business rule to accomplish this, but seeing the output of the values after running it as numerical values. And no changes reflected on the form. How can I get this to work, or what am I missing? Any help is appreciated, business rule below.

(function executeRule(current, previous /*null when async*/ ) {

gs.info( "JW - Entered RIsk ID Rule");

//set requested item variable == correlation ID

var ritmID = current.u_correlation_id;

// start the query, match correlationId and sys_d

var ritmGr = new GlideRecord('sc_req_item');

if (ritmGr.get(ritmID)) {

var questionGr = new GlideRecord('asmt_assessment_instance_question');

questionGr.addQuery('instance', current.sys_id);

questionGr.query();

while (questionGr.next()) {

gs.info("JW - entered question loop assessing question with metric " + questionGr.metric);

if (questionGr.metric == "c64629101bcd9214b9d9c917624bcbb0"){ //enforce use of mfa

// questionGr.value = ritmGr.variables.mfa_auth;

questionGr.value = "yes";

questionGr.update();

gs.info("JW - mfa filled " + ritmGr.variables.mfa_auth);

gs.info("JW - mfa update " + questionGr.value);

}

else if (questionGr.metric == "0ac336ba1b4d56d0b9d9c917624bcbd5"){ //solution architect

// questionGr.value = String(ritmGr.variables.v_crm_application_solution_architect);

questionGr.value = "JW";

questionGr.update();

gs.info("JW - solution architect filled " + ritmGr.variables.v_crm_application_solution_architect);

gs.info("JW - sa update " + questionGr.value);

}

})(current, previous);

Phil Swann · ‎10-30-2024

Its kind of a nice idea, but I don't know if this is something I would suggest.

One thing to consider is the impending Smart Assessments, so you should be prepared for that.

And ultimately: WHY?

What is the use case for triggering via catalog?

Risk identification is expected to follow a certain lifecycle, typically based on entity creation.

How does this customisation of the workflow honour the same?

Once the Risk Identification is created and the info gathering questionnaire is triggered, then you need to start handling lookups and metrics and the fact is the metric type and all of its dependencies can (and should be able to) change... so hardcoding that back to the catalog item is going to create a maintenance burden.

Is it possible? Yes. (The number references for the values stored in asmt_assessment_instance_question is the easy part!).

But, why do we think it necessary?

View solution in original post

Phil Swann · ‎10-30-2024

Its kind of a nice idea, but I don't know if this is something I would suggest.

One thing to consider is the impending Smart Assessments, so you should be prepared for that.

And ultimately: WHY?

What is the use case for triggering via catalog?

Risk identification is expected to follow a certain lifecycle, typically based on entity creation.

How does this customisation of the workflow honour the same?

Once the Risk Identification is created and the info gathering questionnaire is triggered, then you need to start handling lookups and metrics and the fact is the metric type and all of its dependencies can (and should be able to) change... so hardcoding that back to the catalog item is going to create a maintenance burden.

Is it possible? Yes. (The number references for the values stored in asmt_assessment_instance_question is the easy part!).

But, why do we think it necessary?

jwalk_yota · ‎10-30-2024

Short answer for why this is coming about: stakeholders want it.

Longer answer, moving from another platform to ServiceNow and they have a lot of manual processes that also require user interaction. We have a security team that requires the application owners to be able to submit a catalog item with details about their application. They submit this for new CIs, changes to the application, or for like a yearly realignment or something like that. They used this catalog item to determine which applications are their "crown jewels" which require some additional attestations. The original plan was to remove the catalog item, and just have the risk identification assessment take its place, but that security team complained enough to management that it was changed to "make the catalog item trigger a risk identification and autofill the assessment". I have figured out the original issue, so I'll accept your solution since it was the only one. I was trying to update the actual assessment instance question instead of adding an assessment metric result.

jwalk_yota · ‎10-30-2024

I believe you are correct, and I would rather not have to do this, as for the why:

Short answer: stakeholders want it.

Long answer. We have a security team that uses the catalog item when a new CI is created, changed, or needs to be reassessed yearly or whenever. The "crown jewel" status of the application changes based on the answers and that changes what attestations are needed. You might be thinking, that sounds like what the assessments do. The original plan was to have the risk ID assessment handle this, but the security team needed the catalog item for their users to be able to come in and signal that they are making an update, or changing the app in some way. So it became, "make the catalog item trigger the risk ID flow and autofill the questions".

I have since figured out the issue. I was trying to update the actual question instead of adding a new assessment metric result. So now I can accomplish this task, regardless of what the down the road implications are.

Phil Swann · ‎10-30-2024

So perhaps the answer here, is that the catalog item should indeed be used to update and manage the attributes for the source record.

Annd then, as a result of that, perhaps you want to trigger the Risk Identification workflow again.

You could prepopulate the information gathering with the previous answers, and even populate the default answers with a script so that could come from the source record in the first place...