Common roles in Governance, Risk, and Compliance

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read

    • Certain common roles are used in multiple GRC modules.

    Table 1. Common roles
    Role title [name] Description Contains roles
    GRC Business User

    [sn_grc.business_user]

    		 Role that is a part of the GRC Profiles application. Assign this role to users who require access only to GRC applications for performing their assigned tasks, providing them limited access to data and information relevant to those tasks. For example, assign this role to a business user who must respond to an attestation or risk assessment, or who must remediate an issue.

    Starting with the 14.x release, the following permissions are available to the users with the sn_grc.business_user role:

    Policy and Compliance Management:
    • Create issues or view all issues that are assigned to them or their group.
    • Accept and approve evidence responses.
    • Assign a remediation task.
    • Acknowledge policies.
    • Contribute to policies.
    • Group or ungroup attestations.
    • Request or approve policy exceptions.
    • Report issues.
    • Respond to observations.
    • Submit and request issue triages.
    • Take an attestation.
    Risk Management:
    • Create or view all issues that are assigned to them or their group.
    • Assign indicator tasks.
    • Assign issues.
    • Assign remediation tasks.
    • Assign risk event tasks.
    • Assign risk response tasks.
    • Approve or assess an advanced risk assessment.
    • Respond to indicator tasks.
    • Respond to the risk identification questionnaire.
    • Respond to the metrics data task.
    • Report issues.
    • Submit issue triage requests.
    • Take the risk assessment.
    • View the risk assessment scope.
    • View risk statements.
    • View the risk assessment scope.
    • View and report risk events.
    • View indicator supporting data.
    Integration with Project Portfolio Management:
    • Create a risk from a library.
    • Elevate an enterprise risk.
    • Initiate an object assessment.
    • View the Project Risk Overview dashboard.

    During an upgrade to either version 11.x or 12.x of GRC: Profiles, users who have previously performed a GRC operation in the past 90 days are automatically assigned with the sn_grc.business_user role. This is a one-time event. The group and role are assigned once during the 11.x or 12.x upgrade.

    For more information on the sn_grc.business_user role, see KB0864247.
    Note:
    You must log in to Now Support to view the Knowledge Base articles.
    Note:
    You can manage who can access your GRC records with the GRC user roles. Earlier, your users with the snc_internal role could also access the GRC records. As part of the security updates, each GRC application has modified access control lists (ACLs) where access to the GRC records is restricted only to the users with the GRC roles.
    Note:
    When you (a GRC user) run a job to create a record, this will create an entry to the user in the Unique user table.
    • sn_grc.user_hierarchy_reader
    • workspace_user
    • sn_grc_workspace.task_reader
    • canvas_user
    GRC Business User – Lite

    [sn_grc.business_user_lite]

    		 Role that enables a user to perform only a subset of the tasks that can be performed by the sn_grc.business_user. This role is applicable only for customers who are entitled to and have installed the GRC: Business User – Lite application from the ServiceNow Store. Risk Lite Operators are users who have the right to perform only one or more of the listed operations. The users with this role can perform the following activities:
    • Read or update the policy acknowledgment, control attestation, take attestation, issues that are assigned to them, remediation task, or evidence request.
    • Report or read the submitted issues, risk events, or policy exceptions.
    Risk Management
    • Update issues or view all the issues that are assigned to them or their group.
    • Approve advanced risk assessments.
      Note:
      To enable lite operators to approve advanced risk assessments, the administrator must manually add the sn_risk_advanced.ara_approver role to GRC: Business User Lite.
    • Respond to risk response tasks.
    • Approve risk response tasks.
    • Review, approve, or reject a risk event.
    • Respond to a risk identification questionnaire.
    • Update any assigned risk event task.
    • Review or respond to the metrics data tasks.
    • Assign indicator tasks.
    • Respond to indicator task requests.
    • Respond to indicator tasks.
    • Approve policy exceptions and evidence requests.
    • sn_grc_workspace.task_reader
    • canvas_user
    • sn_grc.user_hierarchy_reader
    GRC admin

    [sn_grc.admin]

    		 Role that provides a user with administrative access to the GRC suite of applications and modules.
    • business_process_admin
    • sn_grc.user_hierarchy_admin
    • sn_grc_workspace.task_admin
    • sn_grc.manager
    • sn_data_registry.admin
    GRC System admin

    sn_grc.sn_grc_system_admin

    		 Role that is a system role for running scheduled jobs. This role is equivalent to the admin role. For example, if you want to run a scheduled job for policy acknowledgment, you can set up the system to run the job as GRC admin. The GRC system administrator is a default user that contains the sn_grc.sn_grc_system_admin role.
    Note:
    This role isn’t assigned to a person. It’s a technical back-end role that is used for running the scheduled jobs.
    • admin
    • import_admin
    • sn_grc.admin
    GRC Reader

    [sn_grc.reader]

    		 Role that provides a user with read access to the GRC suite of applications and modules.
    • pa_viewer
    • cmdb_read
    • sn_data_registry.reader
    GRC Manager

    [sn_grc.manager]

    Role that provides a user with management access to the GRC suite of applications and modules.
    • sn_grc.user
    • sn_grc.compliance_manager
    • business_process_manager
    • cmdb_query_builder_read
    GRC User

    [sn_grc.user]

    Role that provides a user with management access to the GRC suite of applications and modules.
    • sn_grc.reader
    • business_process_user
    • sn_grc_pa.sn_grc_pa_viewer
    GRC Developer

    [sn_grc.developer]

    		 Role that enables a user to perform script-based work such as write scripted factors, scripted formulae for advanced risk assessment, scripted indicators, and so on in GRC. sn_grc.admin
    GRC Confidential User

    [sn_grc.confidential_user]

    		 Role that provides a user with access to the GRC confidential records. None
    GRC User Hierarchy Reader [sn_grc.user_hierarchy_reader] Role that provides a user with read access to the records in the sn_grc_user_hierarchy table. None
    GRC User Hierarchy admin [sn_grc.user_hierarchy_admin] Role that enables a user to create or delete the records in the sn_grc_user_hierarchy_configuration table. None
    Workspace task reader [sn_grc_workspace.task_reader] Role that enables a user to read the records in the configuration tables such as the tab configuration, applicable tables, and so on. None

    Audit reader [sn_audit.reader]

    Role that enables a user to read the audits and audit-related tables. This role is applicable only for customers who are entitled to and have installed the GRC: Business User – Lite application from the ServiceNow Store.

    		 None

    Audit approver [sn_audit.approver]

    Role that enables a user to approve the audits. This role is applicable only for customers who are entitled to and have installed the GRC: Business User – Lite application from the ServiceNow Store.

    		 None
    Document Designer Reader [sn_grc_doc_design.reader] Role that provides a user with read access to the AI Reporting Assistant in Document Designer. None

    Roles that are installed with the GRC Employee User application
    Note:
    The following role is applicable only to customers who are entitled to and have installed the GRC Employee User application. For more details, review the entitlement on the subscription dashboard or contact ServiceNow customer service.

    GRC Employee [sn_grc_emp_user.grc_employee]
    Role that is applicable only to customers who are entitled to and have installed the GRC Employee User application from the ServiceNow Store. The users with this role can perform the following activities from Employee Center:
    • Read and acknowledge organizational policies.
    • Report risk events and issues.
    • Request policy exceptions.
    • Report a compliance case to the Compliance team.
    • Raise inquiries or requests to the Compliance team.
    The following Operator roles are reclassified as Lite Operator roles when the GRC Employee User application and GRC Business User Lite applications are installed:
    • sn_grc.business_user
    • sn_risk_advanced.ara_assessor
    • sn_irm_cont_auth.authorization_official
    • sn_irm_cont_auth.reader
    • sn_irm_cont_auth.executive_read
    Note:
    This reclassification is applicable only to customers who are entitled to and have installed the GRC Employee User application. For more details, review the entitlement on the subscription dashboard or contact ServiceNow customer service.