Entities in GRC

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entities in GRC

    In Governance, Risk, and Compliance (GRC), anentityrepresents any person, process, department, application, or object whose compliance exposure is tracked. Each entity has an assigned owner to ensure accountability for compliance status. GRC automatically generates entities based on defined criteria, enabling precise tracking and management of compliance risks.

    Show full answer Show less

    Key Constructs

    • Entity Class: Groups entities by category (e.g., Financial, Location) and links to an entity tier. It provides conceptual tagging of entities for easier management.
    • Entity Type: Defines filter conditions to identify which source records become entities (e.g., all records with Category = Financial and Criticality = High). This enables automated entity creation and hierarchical grouping.
    • Entity Tier: Assigns criticality levels to entity classes (e.g., Tier 1 for high-criticality items) to prioritize compliance monitoring and reporting.

    These constructs work together to automatically generate and categorize entities when matching source records are created, allowing focused compliance oversight. For example, critical financial systems can be tracked under a Tier 1 Financial entity class, ensuring only relevant systems and their owners are held accountable for audit failures.

    Entity Relationships and Synchronization

    • Entity Hierarchy: Entities can have upstream (parent) and downstream (child) relationships to represent dependencies.
    • Name and Owner Sync: Entity names and owners can automatically synchronize with their source records. This is controlled by a checkbox at the entity level and managed by a scheduled job, which can run daily, weekly, or monthly, ensuring entity data stays current and accurate.

    Entity Classes

    Entity classes serve as tags or conceptual categories for entities. They are automatically assigned based on entity class rules linked to specific tables, ensuring that any new entity created on that table inherits the appropriate class. For example, office branches could be tagged with the "Location" entity class.

    Entity Types

    Entity types group entities using filter criteria, facilitating easy discovery and management of entities sharing similar characteristics. They also enable efficient creation of associated risks and controls for those grouped entities. For instance, various departments like Finance, HR, and IT can be grouped under an entity type named "Departments."

    Entity Tiers

    Entity tiers apply a hierarchical level to entity classes, allowing organizations to prioritize and view the status of the most critical entities. This tiered approach supports focused compliance monitoring by highlighting high-priority items.

    Practical Benefits for ServiceNow Customers

    • Automated and structured compliance tracking of people, processes, and assets.
    • Clear accountability through entity ownership and synchronization with source data.
    • Efficient risk and control management via entity grouping and classification.
    • Prioritization of compliance efforts through entity tiers reflecting criticality levels.
    • Visibility into entity relationships for comprehensive risk impact analysis.

    An entity is a person, process, department, application, or other object whose compliance exposure is tracked in GRC. Each entity has an owner, so non-compliant items and their owners can be identified individually.

    Before you can work with entities, you need three supporting constructs:
    • An entity class groups entities by category, such as Financial or Location, and associates that category with a tier.
    • An entity type uses filter conditions to identify which source records are set to entities. For example, all records where Category = Financial and Criticality = High.
    • An entity tier assigns a criticality level to entity classes. For example, Tier 1 for critical items and Tier 2 for standard items.

      Once these constructs are in place, GRC generates entities automatically when a matching source record is created.

    To understand how these constructs work together, consider the following example. Your organization wants to track compliance across its critical financial systems. First, create an entity tier called Tier 1 to represent high-criticality items. Then create an entity class called Financial and associate it with Tier 1. Next, create an entity type called Critical Financial Systems with a filter that matches records where Category = Financial and Criticality = High. When a source record matching that filter is created, GRC automatically generates an entity, assigns it the Financial class, and surfaces it in the Tier 1 view. If one system fails an audit, only that system's entity and its owner are held accountable. The other systems are unaffected.

    Entities can also be related to each other. An entity with child entities has downstream entities. An entity with parent entities has upstream entities.

    Entity name and owner synchronization

    When a source record linked to an entity filter is created, an entity is automatically generated in GRC. If the source record name or owner changes after the entity is created, the entity name and owner can update to match the source record.

    You can control this synchronization at the entity level using the Sync entity name and entity owner with source record check box. When selected, the Name and Owner fields are set to read-only and stay in synchronization with the source record. Clearing the check box enables you to manually override the entity name and owner.

    The synchronization is performed by the Sync entity name and entity owner with source record scheduled job. When an entity is first created, the synchronization happens automatically. For continuous synchronization of future changes to source records, this scheduled job must be active. The job syncs entity names and owners based on GRC properties that control its behavior:
    • Frequency of syncing the entity name and entity owner with the source record: determines how often the job runs. Options are daily, weekly, or monthly.
    • Maximum batch size while syncing the entity name and entity owner with the source record: controls the number of records processed in each batch.

    Entity classes

    Entity classes are used to add a conceptual information about the entity or tag the entity. To understand the concept of entity class, consider the following example. A company has office branches in three cities. The office space is considered as an entity and the entity class for these entities would be the location. You can create an entity class by associating it with an entity tier as shown in the following example.
    Figure 1. Sample configuration for an entity class
    Sample configuration for an entity class.

    For more information, see Entity classes.

    Entity class rules

    Entity class rules help to assign classes to the entities at the table level. Any new entity created on the table gets that entity class automatically. Entity classes are used to tag your entities.

    When you create an entity over a specific table, the class associated with that table automatically gets assigned to the entity. You can set a new entity class rule for a table.

    For more information, see Entity class rules.

    Entity types

    An entity type is a grouping of entities that is based on filtering. Entity types enable you to find and create entities that match a set of filter conditions. Hierarchy can be created within the entity classes.

    Entity types also enable you to create risks and controls for each entity without spending much time. For example, an organization can have multiple departments, such as finance, HR, or IT. All these departments can be considered as entities and can be grouped under the entity type called Departments.

    You can create an entity type by associating it with the core business pillar such as Technologies or Facilities as shown in the following example.
    Figure 2. Sample configuration for an entity type
    Sample configuration for an entity type.

    For more information, see Entity types.

    Entity tiers

    When you create entity tiers, you apply a level or hierarchy to the entity classes. This level applies to all the entities in those entity classes. Entity tiers enable you to select and view the status of the most critical items in the business as shown in the following example.
    Figure 3. List view for an entity tier
    List view for an entity tier.

    For more information, see Entity tiers.