Sn_grc.user role used for ?

anvitha ash
Tera Contributor

What is the use of sn_grc.user ? How it is helpfull

 

What is the difference between sn_grc.business_user role and sn_grc.user role ??

 

Can someone help me in understanding this roles 

 

Thanks in advance 🙂

7 REPLIES 7

No that appears to be just read access based on the roles shown to the right. (.reader and _viewer).

 

You may want to look at the Compliance User role though as it contains sn_grc.user.  Instead of granting sn_grc.user directly.

StevenParker_0-1683308935642.png

 


Please mark this response as correct and/or helpful if it assisted you with your question.
Steven

Ahmed Drar
Tera Guru
Tera Guru

Hi @anvitha ash 

 

In terms of access right sn_grc.user > sn_grc.business_user 

 

sn_grc.user existed long before ServiceNow introduced sn_grc.business_user. At the time, we would grant sn_grc.user as a minimum role to users who needed to read GRC tasks.


In my opinion, this is no longer true. sn_grc.business_user should be allocated to users that need access to GRC to carry out their basic duties, such as  responding to an attestation or risk assessment - keep in mind that the role has limited access to information linked to the activities that have been assigned to them.

 

Please mark my answer as Correct / Helpful based on the Impact

Community Rising Star 2023

Jan Spurlin
ServiceNow Employee
ServiceNow Employee

@anvitha ash - I agree with everything the previous posters have stated, but here are a few more details about GRC roles in general.

The roles that begin with sn_grc.xxx. (with the exception of the business user roles) are roles that were created a long time ago when we didn't have separate compliance, risk and audit applications. When those apps were developed new more specific roles were created (sn_compliance.xxx, sn_risk.xxx, etc). If you look at the user, manager and admin roles of these, you will see that the sn_grc.xxx role is contained within it. 

 

In the class I teach, we tell students to not directly assign the sn_grc.admin, manager and user role to groups/users. Because when you assign the compliance/risk role it will be inherited.

 

Fast forward to today where we have the GRC Business User role. This role was created because customers needed to give access to certain users to perform GRC actions, but they didn't want them to have as much power as the "user" role.  They needed more than reader, but less than user.

 

On my next statements - I will qualify these statements - please check with your account rep to confirm that this is how it works for your instance. As an instructor, I try and stay away from licensing questions because there are too many variables for me to consider.  But in general, on the Business User roles - the impact to licensing does not occur until the user has performed a GRC action.  So, I could assign these roles to all managers in my organization but there would not be any licensing impact until a manager used the role to perform a GRC action - such as responding to an assessment.

 

Hope that helps.