GRC: Entity Based Access release notes
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of GRC: Entity Based Access release notes
The GRC: Entity Based Access application enables ServiceNow customers to control and restrict access to Governance, Risk, and Compliance (GRC) entities and related records at a granular level. This ensures that users only view data they are authorized to access, enhancing security, audit compliance, and operational efficiency within the platform.
Show less
Key Features
- Audit Security Enhancements: Access to audit-relevant configuration records is restricted to users with the Third Line Manager role when Audit Workspace is installed, safeguarding sensitive configurations from general users.
- Platform-wide Row-Level Query Security: All Entity-Based Access tables enforce row-level query restrictions, ensuring users see only authorized rows in list views, reports, and REST queries, improving both security and performance.
- Preservation of Custom ACLs: Custom query-level ACLs are detected and preserved during plugin installs and upgrades by deactivating conflicting platform defaults, protecting customer customizations.
- Improved Access Resolution Performance: Optimizations reduce duplication in database queries when determining user access to parent records, resulting in faster list loads and access checks without changing visible records.
- Authorization on Table-Label Lookup: The system now verifies read permissions before displaying table labels for Entity-Based Access reference tables, preventing unauthorized exposure of table names.
- Localization Support: Updated translations for system messages, UI labels, and documentation are available in 23 languages, enhancing usability for non-English speakers.
- Record Attributes User Access Control: Automatically maintains access for users and groups referenced in record fields despite entity-based access restrictions, reducing manual configuration and administrative overhead.
- Entity-Based Data Access Rules Framework: Supports configuration of access restrictions on entities and their related downstream objects, including custom tables, allowing targeted access control (e.g., restricting Risks and Controls by Location or Entity).
- Guided Assistance for Bulk Updates: Provides a four-step guided process to define scopes, related record types, conditions, and review records before applying entity-based access restrictions in bulk.
- Automated Access Restriction Maintenance: When deactivating configurations, the system automatically assesses and removes or retains restrictions based on other active configurations affecting the same records.
- Notification on Bulk Utility Completion: Sends email notifications upon completion of bulk configuration jobs indicating success or failure.
Practical Impact for ServiceNow Customers
By leveraging the GRC: Entity Based Access application, customers can:
- Ensure sensitive GRC configurations and data are visible only to appropriate roles, supporting audit and compliance requirements.
- Improve platform performance and security through enforced row-level access controls and optimized access resolution.
- Protect existing custom security configurations during upgrades, minimizing disruption.
- Streamline administrative tasks with guided bulk updates and automatic access maintenance, reducing manual effort and errors.
- Support multilingual environments with expanded localization for global teams.
- Extend entity-based access controls to custom tables and complex entity relationships for tailored security policies.
Overall, this application enhances governance capabilities by tightly managing who can view and modify critical GRC data, thus helping organizations maintain compliance and secure their risk management processes effectively.
Version history for the GRC: Entity Based Access application on the ServiceNow Store.
Important:
For details on system requirements and family compatibility, view the application
listing on the ServiceNow Store
website.
Version history
- Version 22.3.1 - June 2026 (Australia)
-
- This release adds new security restrictions, performance improvements, and localization updates to GRC Entity-Based Access.
- Audit Workspace restricts sensitive configurations: Access configuration records flagged as audit-relevant are now visible only to users with the Third Line Manager role when Audit Workspace is installed alongside Entity-Based Access, hiding them from general users to enhance audit security.
- Row-level query security enforced platform-wide: All Entity-Based Access tables now have platform-managed row-level query restrictions, ensuring that users only see rows they are authorized to access during list views, reports, and REST queries, improving security and performance.
- Preservation of custom query ACLs: During plugin installation and upgrades, custom query-level ACLs are detected and preserved by deactivating conflicting platform defaults, ensuring that customer customizations remain intact and clearly distinguished from system-supplied ACLs.
- Improved access resolution performance: The process determining user access to parent records has been optimized to deduplicate matching records within the database, resulting in faster list loads and access checks without changing which records users can see.
- Tightened authorization on table-label lookup: The internal service that returns display labels for Entity-Based Access reference tables now checks read permissions before providing the label, preventing unauthorized users from seeing table names in the user interface.
- Localization updates in 23 languages: Translations for system messages, UI labels, and documentation have been refreshed across 23 languages, improving the experience for non-English speakers and ensuring previously missing strings are now translated.
- Version 22.0.1 - March 2026
- Fixed: Emails are sent upon completion of the bulk utility configurations job to notify users of successful changes or failures.
- Version 21.1.4 - December 2025 (Zurich)
-
- New: Record Attributes User Access control: Maintain seamless access for users and groups referenced in record fields even though entity-based access is enabled. This avoids manual configurations, reduces administrative overhead, and helps in adopting entity-based access with minimal disruption.
- Fixed: When Entity type configuration is deactivated, Entity type configuration was not removing the EBA restriction.
- Version 21.0.2 - August 2025
-
- New:
- Continuous maintenance of access restrictions on entity's related record types.
- Introduced "Entity based data access rules" configuration.
- Support for enabling Entity-based access on custom tables.
- Provided entity-based access admin to perform CRUD operations on "Applicable record type" table.
- Changed:
- Entity access update utility experience from record page to guided assistance.
- Apply entity-based access (EBA) restrictions at the record level by using guided assistance in the bulk access update utility.
- Guided assistance consists of a four-step process:
- Define the scope for the relevant entities, entity types, or entity classes.
- Scope the related record types
- Apply the conditions to each record type to refine the scope
- Review the selected records before you execute and initiate the update
- Fixed:
- Entity-based access configuration deactivation behaviour
- Deactivate entity-based access configuration, enabling the system to automatically assess the records that it impacts.
- If only the configuration is restricting a record, the access restrictions are removed.
- If other configurations also apply to the record, the restrictions remain in place and only the selected configuration is deactivated.
- New:
- Version 20.1.4 - May 2025
-
- New framework to set up configurations to restrict access on entities and related downstream objects.
- For example, restrict access to Risks and Controls of specific Locations or Entities to certain User groups or Users.