Roles in Third-party Risk Management

  • Release version: Australia
  • Updated May 5, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles in Third-party Risk Management

    Third-party Risk Management (TPRM) roles in ServiceNow define user permissions and access levels within the TPRM application. These roles enable organizations to control who can view, create, update, and approve third-party risk assessments, manage contacts, and configure assessments and templates. Proper role assignment ensures secure and efficient management of third-party risks aligned with organizational responsibilities.

    Show full answer Show less

    Key Roles and Their Permissions

    • Third-party reader [vendorreader]: Read-only access to third-party contact records.
    • Third-party editor [vendoreditor]: Can create, update, and delete third-party contact records.
    • Third-party assessment reviewer [snvdrriskasmt.vendorassessmentreviewer]: View assessments and questionnaires, leave comments on key risk tables. This role includes several reader roles for related frameworks and libraries.
    • TPR assessor [snvdrriskasmt.vendorassessor]: Inherits reviewer permissions plus manage third parties, contacts, external risk assessments, and issues. It has configurable options for modifying questionnaire responses.
    • TPR approver [snvdrriskasmt.approver]: Reviewer permissions plus the ability to approve internal risk questionnaires (IRQs).
    • TPR manager [snvdrriskasmt.vendorriskmanager]: Assessor permissions plus management of assessment templates, scheduled assessments, engagements, contacts, and scoring rules.
    • TPR admin [snvdrriskasmt.vendorriskadmin]: Manager permissions plus rights to create and edit all templates (including classic and SAE), document request templates, and post-assessment automation rules.
    • Contract risk negotiator [snvdrriskasmt.contractnegotiator]: Assessor permissions plus legal department capabilities to modify contract statuses and dates.
    • Third-party contact [vendorcontact]: External users assigned by the third party with limited access to the Third-party portal (not the main ServiceNow instance). They can respond to questionnaires or assign others to respond and manage contacts for their organization.

    Roles for Specific TPRM Features

    • Digital Resilience Third-party Registers: Access is granted via specific DORA roles such as TPRM DORA user, TPRM DORA manager, and TPRM DORA admin, which align respectively with assessment reviewer, assessor, and admin roles.
    • Smart Assessment Engine (SAE):
      • Template viewing via TPRM SAE template reader and assessment reader roles.
      • Questionnaire responding via internal assessment user (for assigned internal respondents) and external assessment user (for third-party contacts).
      • Template creation and automation rule management require TPRM SAE admin and automation creator roles, typically held by TPR admins.
    • Now Assist for TPRM: Users with the Third-party assessment reviewer role automatically receive the TPRM GenAI User role upon installation, enabling use of Now Assist capabilities within TPRM.

    Practical Implications for ServiceNow Customers

    Assigning the correct TPRM roles ensures that users have appropriate access to perform their responsibilities efficiently and securely. For example:

    • Use Third-party contacts to involve external representatives safely without exposing internal systems.
    • TPR assessors and managers can manage risk assessments and templates, ensuring thorough third-party risk evaluation.
    • Approvers handle critical sign-offs on risk questionnaires.
    • Admins have full control to configure templates and automation, streamlining risk management workflows.

    Understanding role hierarchies and their contained permissions assists in aligning internal responsibilities with system access, optimizing third-party risk governance.

    Roles determine permissions and access in TPRM.

    TPRM roles

    Friendly name [role name] Description Contains roles
    Third-party reader

    [vendor_reader]

    		 Read access to third-party contact records. None
    Third-party editor

    [vendor_editor]

    		 Create/update/delete third-party contact records. None
    Third-party assessment reviewer

    [sn_vdr_risk_asmt.vendor_assessment_reviewer]
    View assessment and questionnaire data. In addition to viewing, they can leave comments on the following tables:
    • Tiering assessment
    • Internal assessment
    • External assessment
    • Third-party risk issues
    • Third-party risk tasks
    • Third-party risk due diligence request

    Contains:

    • sn_risk.implementation_reader
    • sn_compliance.control_framework_reader
    • sn_compliance.policy_reader
    • sn_grc.library_reader
    • sn_smart_asmt.actor
    • task_editor
    • vendor_reader
    • sn_dora_accel.user
    • sn_smart_asmt.template_reader
    • sn_smart_asmt.assessment_reader
    • sn_tprm_genai.nowassist_user

    TPR assessor (Third-party risk assessor)

    [sn_vdr_risk_asmt.vendor_assessor]
    • Includes all permissions of the Third-party assessment reviewer role plus: Manage third parties, third-party contacts, external risk assessments, and issues.
    • You can set the following options for the sn_svdp.allow_assessor_edit property:
      • Enable TPR assessors to answer questions or modify responses in third-party questionnaires (default).
      • Enable TPR assessors to modify responses.
      • Don’t enable TPR assessors to answer questions or modify responses.
      See Configure TPRM properties.
    		 Contains:
    • vendor_assessment_reviewer
    • sn_grc.library_reader
    • vendor_editor
    • vendor_reader
    • sn_dora_accel.manager

    TPR approver

    [sn_vdr_risk_asmt.approver]

    Includes all permissions of the Third-party assessment reviewer role plus: approve IRQs.
    Contains:
    • vendor_assessment_reviewer
    • sn_dora_accel.user
    TPR manager (Third-party risk manager)

    [sn_vdr_risk_asmt.vendor_risk_manager]

    Includes all permissions of the TPR assessor role plus:

    • Manage third-party assessment templates and scheduled assessments.
    • Manage engagements and engagement contacts.
    • Manage scoring rules for both third parties and engagements.
    Contains:
    • vendor_assessor
    • sn_dora_accel.manager
    TPR admin (Third-party risk admin)

    [sn_vdr_risk_asmt.vendor_risk_admin]

    Includes all permissions of the TPR manager role plus:

    Create and edit the following items:

    • Third-party assessment templates
    • Risk tiering templates
    • Risk tier questionnaire templates
    • Third-party questionnaire templates
    • Document request templates
    • Post assessment automation rules
    Note:
    All the templates include both classic and SAE templates.
    Contains:
    • vendor_risk_manager
    • assessment_admin
    • sn_dora_accel.admin
    • sn_smart_asmt.assessment_admin
    • sn_smart_imp_auto.automation_creator
    Contract risk negotiator

    [sn_vdr_risk_asmt.contract_negotiator]

    Includes all permissions of the TPR assessor role plus:

    Gives users in the legal department access to modify contract status and the start and expiration dates.

    You can add users with this role to the Contract risk negotiators user group. See Add users to groups based on responsibilities.
    Contains:
    • vendor_assessor
    • sn_dora_accel.manager
    [vendor_contact]
    • Called a third-party contact when responding to an external questionnaire/task/issue for a third party.
    • Called an engagement contact when responding to a questionnaire/task/issue for an engagement.

    You assign the third-party contact role to users at the third-party organization whose risk is being assessed. Third-party contacts are assigned the snc_external role to give them access to resources and actions in the Third-party portal.

    Important:
    The third-party contact role should be used only for external contacts. The role prohibits access to your ServiceNow AI Platform instance and grants access only to the Third-party portal.

    You assign the primary contact responsibility to the third-party contact who can directly answer assessment questions or assign another contact at the third party to answer the questions. Primary contacts can manage other contacts for the third party.

    Contains: snc_external

    Roles required for accessing the Digital resilience third-party registers

    A user with one of the following roles can access the Digital resilience third-party registers related modules in the Vendor Management Workspace:
    • TPRM DORA user [sn_dora_accel.user] role

      Third-party assessment reviewer and TPR approver contain this role.

    • TPRM DORA manager [sn_dora_accel.manager] role

      TPR assessor and TPR manager contain this role.

    • TPRM DORA admin [sn_dora_accel.admin]

      The TPR admin contains this role.

    For more information on DORA related roles, see Roles installed with Digital resilience third-party registers.

    Roles required for using Smart Assessment Engine

    A user with one of the following roles can view templates in the Assessment Workspace:
    • TPRM SAE template reader [sn_smart_asmt.template_reader] role

      Third-party assessment reviewer contains this role.

    • TPRM SAE assessment reader [sn_smart_asmt.assessment_reader] role

      Third-party assessment reviewer contains this role.

    A user with one of the following roles can respond to questionnaires in the Vendor Management Workspace, GRC portal, or Third-party portal.
    • TPRM SAE internal assessment user [sn_vdr_risk_asmt.internal_assessment_responder]

      This role is automatically assigned to an assigned IRQ assessor or internal assessment respondent.

      This role is required to respond to internal/IRQ assessment questionnaires using the GRC Portal.

      This role contains the following roles: canvas_user, sn_smart_asmt.actor, sn_grc_workspace.user, and sn_grc_workspace.task_reader.

    • TPRMSAE external assessment user [sn_vdr_risk_asmt.external_assessment_responder]

      This role is automatically assigned to the assigned third-party contact.

      This role is required to respond to external questionnaires using the Third-party portal.

      This contains the role: sn_smart_asmt.actor.

    A user with the TPRM SAE admin [sn_smart_asmt.assessment_admin] role can create SAE templates in the Vendor Management Workspace and Assessment Workspace.

    Third-party admin contains this role.

    A user with the sn_smart_imp_auto.automation_creator role can create post assessment impact automation rules.

    Third-party admin contains this role.

    Important:
    The Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role is the minimum role that you must have to view any template that is a member of the TPRM external questionnaire, TPRM external document request, TPRM internal tiering questionnaire, and TPRM internal IRQ purposes.

    For more information on SAE related roles, see Roles installed in Smart Assessment Engine.

    Roles required for using Now Assist for Third-party Risk Management (TPRM)

    A user with the Third-party Assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role can use the Now Assist for TPRM skills.

    The TPRM GenAI User [sn_tprm_genai.nowassist_user] role is granted to Third-party Assessment reviewers [sn_vdr_risk_asmt.vendor_assessment_reviewer] automatically after you install the Now Assist for TPRM application. For more information about a Now Assist for TPRM, see Now Assist for Third-party Risk Management (TPRM).