How to Bypass Entity-Based Access for Specific Use Case in Risk Statement Table (GRC Application)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
8 hours ago
Question:
Hi Everyone,
We are currently working on enabling Entity-Based Access (EBA) for a client in the ServiceNow GRC applications — specifically for Risks, Issues, and Risk Events.
At present, ACLs are configured based on group hierarchy, which controls the accessibility of Risks, Issues, and Risk Events.
We have now implemented and validated Entity-Based Access Management in our sandbox environment, and it is functioning as expected.
Under this configuration, users who are part of the Entity Owner Group or other Groups defined on the Entity can access all Entity-related records — including Risks and their downstream items (Issues and Risk Events).
Requirement:
We have a specific business requirement for the Risk Statement table.
- Each Risk Statement record has an Owning Group and a Risk Statement Owner.
- The users belonging to the Owning Group should be able to view all Risks associated with that Risk Statement, even if they do not fall under the Entity hierarchy defined by Entity-Based Access.
In other words:
For all other tables (Risks, Issues, Risk Events), Entity-Based Access should continue to apply normally.
But for the Risk Statement use case, users who belong to the Owning Group of a Risk Statement should have visibility into all related Risks, even if they do not satisfy the Entity/Downstream criteria defined by EBA.
Current Behavior:
Currently, under Entity-Based Access, users in the Risk Statement Owning Group can only view those Risks that pass the EBA checks (i.e., that belong to entities where they have access). Risks outside their entity scope are not visible to them.
Question to the Community:
What would be the best way to implement this exception for the Risk Statement use case?
- Is it possible to extend or override EBA logic for the Risk Statement table only?
- Would a custom ACL or script include extension be a recommended approach?
- Are there any best practices or platform-supported methods to allow this type of conditional access (EBA + additional group-based access)?
Any suggestions or implementation examples would be greatly appreciated.
@Chuck Tomasi @GRC
Thanks in advance,
Pankaj
