GRC Control Attestation Delegation

SanjivMeher
Kilo Patron
Kilo Patron

Hello Experts,

Has anyone came up with a solution to delegate an attestation to another person, when he/she is not available?

I have checked with ServiceNow, and they confirm, they dont have that option out of box. 

So I wanted to check, if anyone has a custom solution.

 


Please mark this response as correct or helpful if it assisted you with your question.
14 REPLIES 14

Khang1
Mega Expert

Since this feature is not available with baseline product, in our company, we configured a new field called 'Control SME/Delegate' right underneath the 'Owner' field, and referenced to the 'sys_user' table. See pic below.

You can create an OnChange UI script in the Control table to automatically add user in the 'SME/Delegate' field (if it's not empty) to Attestation Respondent field. This way you will have both the owner and the delegate as attestation respondents.

BE cautious, the way ServiceNow work now, if you have both the Owner and the SME/Delegate as attestation respondents, they BOTH have to take assessment to complete the attestation. It's not one complete and the other don't have to do it. There is not a way around that I know. In such case, an option is to update UI Script above to remove the original owner from respondent when a SME/Delegate is available.

Last note, make sure you DON'T modify any baseline fields or UI script as part of development. Otherwise you might impact ability to upgrade those fields/scripts in new versions. 

 

find_real_file.png

I ended up creating a field in profile and control called Delegates. It is a List field.

And in the attestation, if the user is a delegate, I am giving them option to 'Own Control' and 'Own Attestation' as a UI action. 

That way, I didn't have to create multiple attestations.


Please mark this response as correct or helpful if it assisted you with your question.

Ashik3
Tera Expert

Hi,

We made this by creating an owning group on the attestation. This gets populated from the control owning group and any member of the group can respond to the attestation.

Let me know in case if you need further help

Regards,
Ashik

How much customization did you make to get this done? Allowing attestation to be responded by a group, I am sure, you would have updated some of the core functionality of attestations.


Please mark this response as correct or helpful if it assisted you with your question.

Maros Takac1
Tera Contributor

One way to accomplish this, until an out-of-box solution has become available, would be as follows:

1. Create a new field on the assessment_instance table ( List type Field, call it Delegates, Users whatever..)

2. Create a new table "Attestation Delegates" with the same fields as the "sys_user_delegate" table, exclude checkbox type fields as you dont need them. You can also add Control Objective, Metric Type and/or Profile reference fields to create a delegate for any of those specific entities. 

3. Delegate field could be either static or scripted if you need to fetch a delegate from some complex table relationships.

4. Create an insert business rule on the "asmt_assesment_instance" table which would essentially do a lookup from your custom table. if one or many delegates are found, add them to an array which would then be pushed to your new custom Delegates field..

5. Modify "My Attestations" application module link to also include your new field: if current user is equal to "Assigned To" or your new field contains current user ID

6. Check a read ACL on asmt_assessment_instance to make sure that a user contained within your new field can also read attestation records

7. If you want to, create a new UI action in the GRC_Attestation View which would allow a delegate to re-assign an attestation to themselves.. 

 

I would advise against creating any new field on the sn_compliance_control table. More importantly, you should not use multiple attestation respondents because that would create multiple attestation instances for the purpose of gathering evidence from multiple sources in order to confirm that a respective control is in fact in place.

Any questions, let me know 🙂