Components installed with Policy and Compliance Management

  • Release version: Australia
  • Updated March 12, 2026
  • 11 minutes to read

    • Reference topics provide additional information about components that are installed with the activation of the Policy and Compliance Management plugin. These components include tables, user roles, and properties.

    Note:
    The Application Files table lists the components that are installed with this application. For instructions on how to access this table, see Find components installed with an application.

    Demo data is available for this feature.

    Roles installed with GRC: Policy and Compliance Management

    Roles are added with activation of GRC: Policy and Compliance Management.

    Table 1. Roles installed
    Role title [name] Description Contains roles
    Compliance Administrator

    [sn_compliance.admin]

    		 Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance admin can delete authority documents, citations, policies, control objectives, and controls.
    • sn_compliance.manager
    • sn_grc.admin
    Attestation Creator

    sn_compliance.attestation_creator

    		 Role used for creating the GRC attestation metric type, as well as exception questionnaires. assessment_admin
    Compliance Developer

    [sn_compliance.developer]

    		 Contains the reader, user, manager, admin, and developer roles in sn_grc scopes, and the reader, user, manager, and admin roles in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance developer can create article templates and edit scripts.
    • sn_compliance.admin
    • sn_grc.developer
    Compliance Manager

    [sn_compliance.manager]

    		 Contains the reader, user, and manager roles in sn_grc scopes, and the reader and user roles in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance manager can create authority documents, citations, control objectives, and controls.
    • sn_compliance.user
    • sn_grc.manager
    • sn_vdr_risk_asmt.vendor_assessment_reviewer
    Compliance Reader

    [sn_compliance.reader]

    		 Contains the reader role in sn_grc scopes. In addition to the inherited permissions, the compliance reader can be assigned indicators templates, indicators, and issues.
    • sn_grc.reader
    • survey_reader
    Compliance User

    [sn_compliance.user]

    		 Contains the reader and user roles in sn_grc scopes, and the reader role in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance user can be assigned controls and create policies, and has read-only access to the Risk Management application and modules. The compliance user can also create control objectives.
    • sn_compliance.reader
    • sn_grc.user
    • sn_risk.reader
    • survey_reader
    • vendor_reader
    Corporate compliance analyst [sn_compliance_ws.corporate_compliance_analyst] Contains the reader and user roles in sn_grc scopes, and the reader role in the Compliance Workspace.
    • sn_compliance.user
    • sn_audit.user
    Corporate compliance manager [sn_compliance_ws.corporate_compliance_manager] Contains the reader, user, and manager roles in sn_grc scopes, and the reader and user roles in the Compliance Workspace.
    • sn_compliance.manager
    • sn_compliance_ws.corporate_compliance_analyst
    • sn_audit.manager
    IT compliance manager [sn_compliance_ws.it_compliance_manager] Contains the reader, user, and manager roles in sn_grc scopes, and the reader and user roles in the Compliance Workspace.
    • sn_compliance.manager
    • sn_audit.manager

    Tables installed with Policy and Compliance Management

    Tables are added with activation of GRC: Policy and Compliance Management.

    Table 2. Tables installed
    Table Description
    Authority Document

    [sn_compliance_authority_document]

    		 Extends the Document [sn_grc_document] table and stores all Authority Documents.
    Control

    [sn_compliance_control]

    		 Extends the Item [sn_grc_item] table and stores all controls.
    Policy

    [sn_compliance_policy]

    		 Extends the Document [sn_grc_document] table and stores all policies.
    Article Template

    [sn_compliance_article_template]

    		 Used to format the policy text contained in a policy record when publishing the policy to the knowledge base (KB).
    Citation

    [sn_compliance_citation]

    		 Extends the Content [sn_grc_content] table and stores all citations.
    Policy exception risk rating mapping [sn_compliance_policy_exception_risk_rating_mapping] Stores the mapping details of the risk assessment rating with the policy exception risk rating.
    Policy to Entity Type

    [sn_compliance_m2m_policy_profile_type]

    		 Extends Document to Entity Type [sn_grc_m2m_document_profile_type] and is a many-to-many relationship table that is used to manage the relationships between policies and entity types.
    Control Objective to Citation

    [sn_compliance_m2m_statement_citation]

    		 Many-to-many relationship table that is used to manage relationships between control objectives and their related citations.
    Control Objective to Entity Type

    [sn_compliance_m2m_statement_profile_type]

    		 Extends Content to Entity Type [sn_grc_m2m_content_profile_type] and is a many-to-many relationship table that is used to manage the relationships between control objectives and entity type.
    Control objective

    [sn_compliance_policy_statement]

    		 Extends the Content [sn_grc_content] table and stores all control objectives.
    Control objective requirement

    [sn_compliance_policy_stmt_requirement]

    		 Stores the requirement number and the requirement description of a control objective requirement.
    Control objective to Control objective requirement

    [sn_compliance_m2m_policy_stmt_policy_stmt_rqmt]

    		 Many-to-many relationship table that is used to manage relationships between control objective and control objective requirement.
    Control requirement

    [sn_compliance_control_requirement]

    		 Stores the requirement number of control
    Control to Control requirement

    [sn_compliance_m2m_control_control_requirement]

    		 Many-to-many relationship table that stores the control and control requirement details. The Implementation status field gives the information whether the requirement is inherited or self implemented.
    Requirement selection

    [sn_compliance_hybrid_selection]

    		 Stores the selections of control requirements. It contains the details of control requirements, control objective, entity, and authorization package.
    Policy exception

    [sn_compliance_policy_exception]

    		 Stores all policy exceptions.
    Policy to Policy Statement

    [sn_compliance_m2m_policy_policy_statement]

    		 Many-to-many relationship table that is used to manage relationships between policy and control objectives.
    Control to entity [sn_compliance_m2m_control_entity] Extends Item to entity [sn_grc_m2m_entity_item] table.
    Note:
    All additional tables installed by the dependent plugins are also needed for Policy and Compliance Management.

    Access limitations for GRC business user role

    The access control limitations (ACLs) or no role conditions with snc_internal role (or no role) is replaced with sn_grc.business_user role to control the access level of different users to compliance tables and also to track their usage.

    GRC business user (sn_grc.business_user) role
    GRC business user role is granted to users who could perform any GRC operations. It is also granted to users with snc_internal role who have performed all operations like creating policy exception, issues, and responding to attestations, acknowledgements, and other operations. This role comes with installing GRC Profiles plugin.
    GRC business user – lite (sn_grc.business_user_lite) role
    Users who could do limited operations with snc_internal role are considered as lite operators. Such users are given the GRC business user – lite (sn_grc.business_user_lite) role so as to track the lite usage of compliance tables using the role. This role is granted through explicit roles plugin, GRC: Business User – Lite, which can be installed by users with maint access or ServiceNow support teams.
    For more information on install, upgrade, and role assignments, see GRC Business User Role [KB0864247] article in the Now Support Knowledge Base.
    Note:
    You must log in to Now Support to view the articles.

    The access limitations of users with GRC business user role and other roles for different compliance tables and other related tables are listed herewith. For more information, see the Security tightenings for GRC: Policy and Compliance Management [KB1112315] article in the Now Support Knowledge Base.

    Control Objective
    • Users with GRC business user or business user lite role can read all control objectives.
    • If GRC: Audit Management application is installed and the control objective has a published policy associated to it, then users with external auditor role can read such control objectives.
    • Users with business user lite have read access to report an issue or policy exception.
    Policy
    • Users with GRC business user or business user lite role can read all policies.
    • If GRC: Audit Management application is installed, users with external auditor role can read all published policies.
    • Users with business user lite have read access to policies so as to create policy exceptions.
    Policy to Control Objective M2M
    • Users with GRC business user or business user lite role can read a policy to control objective M2M record.
    • If GRC: Audit Management application is installed, users with external auditor role can read a policy to control objective M2M record if the policy is published.
    Control [sn_compliance_control]
    • Users with GRC business user or business user lite role can view a control.
    • If GRC: Audit Management application is installed, users with external auditor role can read a control.
    Assessment Instance [asmt_assessment_instance]
    • Users with GRC business user and business user lite role can view attestations that are assigned to them.
    • ServiceNow users with GRC business user or business user lite role can take assessments.
    • Users with GRC business user or business user lite role can view My Grouped Attestations module.
    • Users with GRC business user and business user lite role can view Group Assessment UI and Ungroup Assessment UI actions.
    • Users with GRC business user and business user lite role can view My Attestations option in GRC application menu.
    Assessment Metric Type [asmt_metric_type]
    User role is set to GRC business user or business user lite if the evaluation is attestation, the table is Policy Exception, and the role is empty.
    Control Overview report
    User with GRC reader role can view the control overview report.
    Issue [sn_grc_issue]
    Report and View issues in Service Portal
    Users with GRC business user role can report an issue and view their reported issues in Service Portal. GRC business user is the minimum role required to view My Issues in the Service Portal.
    Read
    Users with the following roles can view an issue:
    • GRC user (sn_grc.user) role
    • GRC business user or business user lite role. Furthermore, the user must fulfil any one of the following conditions:
      • Assigned to field in the issue is the user.
      • Assigned to of the parent issue is the user or Assignment group of the parent issue is one of the user's groups.
      • Assignment group is one of the user's groups. Additionally, the user must also have the GRC business user role.
      • Issue manager is the user.
      • Issue manager group is one of the groups that belong to the logged in user.
      • Control/Risk of the issue has an owner and the owner is the user.
      • Issue is created by the logged in user.
      • Issue is created out of an issue triage opened by the user.
      • Logged in user is the assignee or watchlist user on a remediation task for the issue.
      • If GRC: Audit Management is installed, you are an external auditor only; and an auditor on a closed engagement that had control test issues or other issues, can view only those issues.
    Write
    If the user with the business user role is also the user designated in the Assigned to field, then the user can edit:
    • Name
    • Description
    • Issue manager
    • Issue manager group
    • Action plan
    • State
    • Parent issue
    • Additional comments
    • Work notes
    • Response
    • Explanation
    If the user with the business user lite role is also the user designated in the Assigned to field, then the user can edit:
    • Issue manager
    • Issue manager group
    • State
    • Parent issue
    • Additional comments
    • Work notes
    • Response
    • Explanation
    Note:
    If users with business user and business user lite roles have reported an issue, then they can add comments to the issue. However, a GRC user can edit all issues.
    View My Open Issues
    Users with a minimum role of a GRC business user or business user lite can view their open issues.
    Issue grouping
    Issue grouping is only open to users with GRC user role.
    Send information
    A minimum of GRC business user or business user lite role is required to send information for the issue.
    Issue Source [sn_grc_issue_source]
    A minimum of GRC business user role is required to view and edit the Issue Source table.
    Remediation task [sn_grc_task]
    • User in the Assigned to field of the Remediation task table must have a minimum of GRC business user or business user lite role.
    • For read access, users who have a remediation task assigned to them or who are the watchlist users on the remediation task must have a GRC business user or business user lite role. The Assigned to user of the issue, the issue manager of the issue, or any user with GRC manager (sn_grc.manager) role can view a remediation task.
    • My Open Remediation Tasks is visible to users with a minimum role of GRC business user or business user lite.
    My Indicator Task [sn_grc_indicator_task]
    Users with GRC business user or business user lite role can access My Indicator Tasks.
    Policy Acknowledgement
    Users with GRC business user or business user lite role can:
    • Acknowledge policies from ServiceNow AI Platform UI and Service Portal.
    • View My Acknowledgements menu option in Service Portal.
    • View Acknowledgement instances [sn_compliance_policy_acknowledgement_instance] that are assigned to them.
    Policy Exception [sn_compliance_policy_exception]
    Users with GRC business user or business user lite role can:
    • Raise Policy Exceptions from ServiceNow AI Platform and Service Portal.
    • View policy exception. Users with read access include users who requested policy exception, are present in watch list, and are verification approvers, final approvers, impacted control owners, and compliance managers.
    For more information, see:

    Properties installed with GRC: Policy and Compliance Management

    Properties are added with activation of GRC: Policy and Compliance Management.

    Name Description
    Entity hierarchy based scoring

    sn_compliance.entity_hierarchy_based_scoring
    • Type: true or false
    • Default value: false
    • Location: All > Policy and Compliance > Administration > Properties
    Trigger control attestations based on the created or updated date of the last completed attestation

    sn_compliance.attestation_run_reference_date_field
    • Type: string
    • Default value: Created date, Updated date
    • Location: All > Policy and Compliance > Administration > Properties
    States for which the control is active (the first state is the default active state)

    sn_compliance.active_states

    		 Compliance administrators can change this setting.
    • Type: string
    • Default value: draft, assess, review, monitor
    • Location: Policy and Compliance > Administration > Properties
    States for which control is inactive (the first state is the default inactive)

    sn_compliance.closed_states

    		 Compliance administrators can change this setting.
    • Type: string
    • Default value: retired
    • Location: Policy and Compliance > Administration > Properties
    Name of the assessment metric type that is used for attestations

    sn_compliance.default_attestation

    		 System administrators can change this setting.
    • Type: string
    • Default value: GRC Attestation
    • Location: Policy and Compliance > Administration > Properties
    sn_compliance.glide.script.block.client.globals
    • Type: true or false
    • Default value: false
    • Location: Policy and Compliance > Administration > Properties
    Name of the knowledge base used to publish Policy articles

    sn_compliance.knowledge_base

    		 Compliance administrators can change this setting.
    • Type: string
    • Default value: Governance, Risk, and Compliance
    • Location: Policy and Compliance > Administration > Properties
    Enable smart assessments on control

    sn_compliance.enable_smart_assessments

    		 Property that enables the assessment of controls using the non-classic assessment engine.
    • Type: true or false
    • Default value: false