GRC/IRM Question: Configure GRC User Hierarchy Configuration

Joshua Camacho
Tera Guru

Hello,

I have an ask from a client they are requesting that viewing issues are limited to the Assigned to and their manager and the Issue Manger and their managers (with the exception of the overall compliance admin and manager). The user in the "issue manager" field is NOT always the "assigned to" user's direct manager.

 

The question: How do I configure the GRC User Hierarchy property to look at the user that is in the "assigned to" field on the issue record, the user listed in the "manager" field on their user record, allowing the Manager of the "assigned to" user to view the record(s) that their employee(s) are working on?

 

JoshuaCamacho_0-1686957243220.png

 

I have looked at some of the documentation for a custom table but am unsure how or if this could help with my problem. I am more of a visual learner and resources are pretty short for this specific configuration, so any help would be great. Thank you

 

5 REPLIES 5

Community Alums
Not applicable

Hi @Joshua Camacho ,

Before you do any customization, you should understand the importance of those fields and why do we need it.

Please note that Issue manager field is not for the users who are manager of any user !! 

Assigned to field is based on Assignment group.

Assignment group Group to which this issue has been assigned. Each member gets a notification when an activity happens on this issue.
Assigned to Member of the group assigned to resolve the issue.

Starting with Version 12.0.1, the user must have at least the sn_grc.business_user role.

Note: Use the bulb icon to get suggestions on who must the issue be assigned to. The bulb icon only appears if you have the GRC: Predictive Intelligence application activated, the form is saved, the Assigned to field is not inactive, and the GRC Property is selected as Similarity Analysis. For more information, see .

You can configure a hierarchy of users to access the issue record. For more information, see User hierarchy access control for issue and remediation task records.

Starting with Version 12.0.1, the assigned-to user gets an email notification when the issue manager requests more information.

Starting with Version 12.0.1, when an issue transitions to the Respond state, an entry in the Assigned to field is mandatory.

Issue manager group The group responsible for managing and reviewing the issue.
Starting with Version 12.0.1, the following enhancements and requirements were introduced:
  • Members of the issue manager group must have one of the following roles:
    • sn_audit.manager
    • sn_audit.user
    • sn_compliance.manager
    • sn_compliance.user
    • sn_grc.manager
    • sn_grc.user
    • sn_risk.manager
    • sn_risk.user
  • When an issue transitions to the Analyze state, an entry in either the Issue manager group or Issue manager field is mandatory.
  • When an issue is assigned to the group, the members receive an email notification. Additionally, the issue manager receives an email notification when the issue transitions to the Review state.
Issue manager The user responsible for managing and reviewing the issue.
Starting with Version 12.0.1, the following enhancements and requirements were introduced:
  • The issue manager must have at least the sn_grc.user role.
  • The issue manager receives an email notification when the assigned-to user provides requested information.
  • When an issue transitions to the Analyze state, an entry in either this field or Issue manager is mandatory.
  • When an issue transitions to the Respond state, an entry in this field is mandatory.

 

If you want to create a customized approach of getting Assigned to user's manager in Issue manager, doesn't makes sense.

 

Harihara Subra1
ServiceNow Employee
ServiceNow Employee

Hi @Joshua Camacho ,

 

Here are the key steps to enable User hierarchy based access:

  • 'Enable user hierarchy access control' must be turned on in GRC Properties
  • Define User hierarchy configuration (which is see is defined as per your screenshot)
  • Check if the ACLs reference the User hierarchy

For more info: https://docs.servicenow.com/bundle/utah-governance-risk-compliance/page/product/grc-common/concept/u...

 

Please let us know if you need more help in understanding anything specific.

Thanks and regards,

Hari

Hello @Harihara Subra1, the user hierarchy configuration is the OOB config and I haven't changed it. I looked at the link you provided and the hierarchy example pictured is what I am after in regard to GRC Issues. How do I set up the "User Hierarchy field 1" to look at the "sys_user.manager" field? Allowing the manager of the "Assigned to" to view the Issue their employee is assigned? Do I have to modify the Dictionary entry? Is it just an acl change? Do I need to change anything at all? To add to it, when I use the OOB configuration and impersonate a user who is assigned to an issue, they are able to see the issues of other individuals who have no hierarchical relation to them, the "assigned to" should only see what they are assigned and if they have a direct report, they should see their issues. I apologize and appreciate your patience. Thank you

Hi @Joshua Camacho ,

 

Once you enable user hierarchy access control in GRC Properties, User hierarchy based access must start working on Issues based on a Job since the configuration already exists. May I ask what is your observation in your environment?

 

Thanks & regards,

 

Hari