is GRC Business User and Lite User Licenses are separate from GRC operator user licenses

ShafrazMubarak
Giga Guru

‎03-04-2025 02:38 AM

Hi,

 

Is GRC Business User and GRC Business User Lite user roles are part of GRC Operator licenses? (as per the contract it is mentioned as GRC operator which i believe this is GRC users) 

 

We have requirement to extend our GRC features and grant business user or business user lite roles to all employees of the organization so that they can submit risk event, ask for a policy exception, attend a control issue, be an entity owner and etc, So, we have a doubt whether these user roles are part of our existing contract number of GRC licenses or we need to separately purchase this license? 

Any rough idea of cost of these licenses? (I know i have to reach to account executive of servicenow, just wanted to get a clarification from the community before reaching out to them)

 

0 Helpfuls
  • 783 Views
2 REPLIES 2

Community Alums
Not applicable

‎03-04-2025 04:36 AM

Hi @ShafrazMubarak ,

Since you have already raised it with account executive of servicenow, they are the best person who can talk though this discussion. As, licensing varies company to company.

 

 

0 Helpfuls

HenkHeath
Tera Expert

‎03-04-2025 02:17 PM

Hi @ShafrazMubarak 

 

I agree with @Community Alums, it is a conversation you need to have with your account exec, but as a guide;

 

Neither GRC Business User nor GRC Business Lite form part of the GRC Operator licenses.  

View these 2 roles as merely fulfiller roles that will conduct the task-based activity (attestation / Risk assessment /Remediation task...) IF and WHEN assigned to them, and they will conduct the activity in ESC.  They do not have access to the GRC Workspaces.

 

In simple terms the GRC Operator tend to be individuals who will have access to the relevant GRC workspaces, Risk users, Compliance users, Risk-, Compliance-, Audit Managers etc.

 

In deciding if the licensing is right for you consider if the user needs to view/update the record. 

 

As a rule of thumb; If I am a risk owner - I want to see the risk.  I want to trigger the risk assessment.  I want to view the control environment that mitigate my risk, and their compliance status. I want to see the issues. Therefore at the very least I should be a sn_risk.user (Operator License) 

 

Same holds true for an entity; If I am the owner of the entity I want to see the entity record, risks, controls, issues, risk events, etc.