Roles installed with Risk Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles installed with Risk Management

    This document outlines the roles associated with the GRC: Risk Management application, detailing the permissions and capabilities each role provides to users. Understanding these roles is essential for effective risk management within the ServiceNow platform.

    Show full answer Show less

    Key Features

    • Risk Reader [snrisk.reader]: Grants read-only access to the Risk application, allowing users to act on assigned issues, view indicator templates, and access risk-related data and dashboards.
    • Risk User [snrisk.user]: Includes permissions from the Risk Reader role, enabling users to create risks, view various risk-related entities, and work on risk acceptance and remediation tasks.
    • Risk Manager [snrisk.manager]: Allows for the creation of issues, risk frameworks, and remediation tasks, along with access to risk management dashboards.
    • Risk Admin [snrisk.admin]: Provides comprehensive administrative capabilities, including the ability to delete or modify risks and frameworks and configure risk assessment methodologies.
    • Assessment Creator [snrisk.asmtcreator]: Specifically used for creating risk assessment metric types.
    • GRC Business User [sngrc.businessuser]: Empowers users to take risk assessments, create tasks, and engage in various risk management activities, including reporting and responding to metrics data tasks.

    Key Outcomes

    By effectively implementing these roles, ServiceNow customers can enhance their risk management processes, ensure proper access controls, and facilitate collaboration among team members. Each role is designed to provide specific access and capabilities, which streamlines risk assessment and management tasks, ultimately leading to improved organizational risk posture.

    Roles are added with activation of GRC: Risk Management.

    Table 1. Roles installed
    Role title [name] Description Contains roles
    Risk Reader

    [sn_risk.reader]

    		 In addition to the inherited permissions, the risk reader has read-only access rights to the Risk application and modules. The risk reader can do the following in the GRC scope:
    • Act on issues assigned to him.
    • Have read access to all Indicator templates.
    • Can act on indicator tasks assigned to them.
    • Have read-access to indicators.
    • Have read-access to entities.

    The risk reader can do the following in the Risk Management application:

    • Act on the Remediation tasks assigned to them.
    • Have read-access to risks.
    • Take old risk assessment.
    • Have read-access to risk statement and risk framework.
    • Perform advanced risk assessment.
    • Create risk events.
    • Work on risk event tasks and issues.
    • Access all risk events and risk dashboards.
    • Have read-access to feedback.
    • sn_grc.reader
    • survey_reader
    • sn_rvw_feedback.reader
    Risk User

    [sn_risk.user]

    		 Contains the reader and business user roles in sn_grc scope, and the reader role in the Risk Management application and business user role in the sn_grc scope. In addition to the inherited permissions, the risk user can view:
    • entity types
    • entities
    • risks
    • remediation tasks
    • control
    • control objectives
    • policy exceptions

    The risk user can also create risks. The risk user can be assigned risks and has read-only access to the Policy and Compliance Management application and modules. Risk user can do everything that the risk reader can do. The risk reader can do the following in the Risk Management application:

    • Work on risk acceptance tasks and remediation tasks.
    • Create risks.
    • Access the Advanced Risk related dashboards.
    • Have read-access to the risk identification functionality of Advanced Risk and can take assessment related to risk identification.
    • Create assessment scope.
    • sn_grc.user
    • sn_compliance.reader
    • sn_risk.reader
    • survey_reader
    • sn_grc.business_user
    • sn_risk_advanced.ara_creator
    Risk Manager

    [sn_risk.manager]

    		 Contains the reader, user, and manager roles in sn_grc scope, and the reader and user roles in the Risk Management application. In addition to the inherited permissions, the risk manager can do the following in the GRC scope
    • Create issues and issue ratings.
    • Create entity, entity types, and entity classes and class rules.
    • Create content references.
    • Create indicators and indicator templates.
    • Have read-access to entity tier.

    In the Risk Management application, the risk manager can:

    • Create risk frameworks
    • Create risk statements
    • Create risks
    • Create risk event response template.
    • Create risk identifications and can view the dashboard related to risk identification.
    • Create remediation tasks.
    • Create assessment scheduler.
    • Associate risk statements to Information objects using Associate risk statements module.
    • sn_grc.manager
    • sn_risk.user
    Risk Admin

    [sn_risk.admin]

    		 Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in the Risk Management application. In addition to the inherited permissions, in the GRC scope, the risk admin can create an entity tier. In the Risk Management application, the risk administrator can:
    • Delete risk frameworks.
    • Delete entity, tables, indicator, risks, issues, tasks.
    • Create risk statements and risks.
    • Modify admin properties.
    • Modify risk criteria.
    • Create causes and consequences of risk event.
    • Access to risk, advanced risk related properties.
    • Create risk identification configuration.
    • Create a risk assessment methodology, all types of factors.
    • Perform administrative activities.
    • Configure a feedback integration setup for any record type.
    • sn_grc.admin
    • sn_risk.user
    • sn_risk.manager
    • sn_grc_appr.admin
    • sn_rvw_feedback.admin
    Assessment Creator

    [sn_risk.asmt_creator]

    		 The assessment creator is used for creating GRC risk assessment metric types. assessment_admin
    GRC Business User

    [sn_grc.business_user]

    		 Users with this role can perform the following tasks:
    • Take risk assessment.
    • Create risk response tasks.
    • View risk statements.
    • View risk assessment scope.
    • View and report risk events.
    • Work on assigned risk event tasks.
    • View indicator supporting data.
    • Respond to indicator tasks.
    • Respond to risk identification questionnaire.
    • Respond to metrics data tasks.
    • Report issues.
    • Submit issue triage requests.
    • Work on assigned remediation tasks.
    • Work on assigned issues.
    • If there is an integration with Project Portfolio Management:
      • View the Project Risk Overview dashboard
      • Create risks from library.
      • Elevate enterprise risks.
      • Initiate any object assessment.
    		 None