Is there any license used if we assign sn_grc.business_user role to any user in User table?

Manika Gupta
Tera Contributor

‎03-02-2022 06:26 AM

I have 2 questions, both are related to Advanced Audit application.

 

1. We have 18K Suppliers who are part of User Table and need to work on Issues and provide evidence during Audit Execution. We are planning to give sn_grc.business_user role to all the Suppliers. Do we need to purchase any type of IRM license for this? 

2. What is the difference between IRM Lite Operator and IRL Operator license? What all functionalities\modules are accessible with IRM Lite Operator license. Is there a list that can be shared?

 

0 Helpfuls
  • 2,234 Views
18 REPLIES 18

MGanon
Tera Guru
In response to Sebastien Fix

‎12-29-2022 06:17 PM

What is the source of your quote?

0 Helpfuls

Jan Boere
Tera Contributor

‎11-04-2022 04:37 AM

Would like to bring up this question about IRM Lite Operator again as it is now officially released for Tokyo.

Does anyone know what capabilities can be done with this license? e.g. perform Attestations/Risk Assessments; Handle manual Indicator Tasks?

Thanks!

 

Commercial Pricing Guide - Tokyo Q3-2022 states:

August 4, 2022 Update:

• IRM Lite Operator has been released for Tokyo.

0 Helpfuls

Rakesh Chigari
Tera Guru
In response to Jan Boere

‎01-08-2023 08:15 PM

@Jan Boere  @Community Alums @Sebastien Fix 

 

  • Operator (also lite operator) is a new meter where any access or right to access of IRM tables is considered for licensing purposes. Please note that all roles that provide access to these applications are considered licensing. Information about which roles are of operator/lite operator  type is available in sn_irm_shared_cmn_licensing_role_type table
  • The license meter is of monthly cadence. In the first 2-3 days of every month the licensing query is run to look for role allocation and usage pertaining to the previous month. Table tracks these unique numbers, but billing/compliance checks & calculation happens annually
  • Custom roles are treated as Operators

 

Community Alums
Not applicable

‎01-08-2023 11:45 PM

Hi @Manika Gupta ,

  sn_grc.business_user role is Given to the users whom you want to be part of IRM/GRC space however at the same time don't want to provide complete access to any compliance related accessess.

A sn_grc.business_user can be and can work on Issue Owner, Evidence requests tasks, Issue triage submission , evidence request manager approvals,Observation Respondent, Approver/Assesor of advanced risk assessment, read access to Risk Statements , Risk assessments scope, rating criteria, Risk event configuration .

When we talk about the licensing part of "sn_grc.business_user" role , they may or may not have direct link to consuming the licenses, as it completely depends on the what you want them to perform.

If you just add the role to a user , it doesn't consume any licenses. However, when the user performes any of the jobs mentioned above then it does consume license. 

 

sn_grc.business_user_lite:

Users with this role can perform only a subset of the tasks that can be performed by the sn_grc.business_user. This role is applicable only for customers who have purchased the ‘Risk Lite Operator’ licence and installed the GRC: Business User – Lite application from the ServiceNow Store. Risk Lite Operators are users who have the right to perform only one or more of the listed operations. The users with this role can perform the following activities:

  • Read and update policy acknowledgment, control attestation, issues assigned to them, remediation task, and evidence request.
  • Create, read, and update issues submitted, reported risk events, and policy exceptions.

 

 

 

0 Helpfuls

UTKARSH JAIN
ServiceNow Employee
ServiceNow Employee
In response to Community Alums

‎01-09-2023 02:35 AM

Hi Sandeep and everyone here,

 

Both GRC Business User and GRC Business User Lite role are licensable roles in ServiceNow. In fact all IRM roles either pre-packaged or created custom (on IRM tables) are accounted for licenses. It is right to access license, which means the system would do a check every month to see how many users are assigned those roles and irrespective of the fact whether they have or not accessed the application in that month would be accounted for the licenses.

 

As highlighted above, GRC Business User Lite is a lite operator role who can perform a subset of the activities within IRM. This includes things like responding to policy acknowledgment, responding to control attestation etc. However, this classification of lite operator is only available to customers who have purchased Lite Operator product and has installed GRC: Business User Lite application. Along with role, all reader role in IRM such as Risk Reader, Compliance Reader are also classified as Lite operator by the system.

 

However, all other roles in the system are classified as an operator. So any user with compliance user role, risk user role will be classified as an operator. Any custom role created by the customer will also be flagged as an operator unless it is not a wrapper role to an underlying lite operator role. For ex- if you create a custom role called "XYZ User" which only contains Risk Reader and GRC Business User Lite and no modification to ACLs are performed then this role will be also be classified as Lite Operator. 

 

For differences between the 2 roles refer to below screenshot

UTKARSHJAIN_0-1673260519094.png

UTKARSHJAIN_1-1673260536653.png

 

0 Helpfuls