GRC Business User Role (sn_grc.business_user)DetailsBackground The Governance, Risk, and Compliance (GRC) product line requires action from many users who do not have a traditional product role, such as Compliance Reader or Risk Reader. Even the reader roles allow access to the product module, dashboard, reports, and read-only tables. To improve the internal security of the product, we created a dedicated GRC Business User role (sn_grc.business_user). This role should be assigned to users who require access only to GRC applications to perform tasks assigned to them; for example, a business user who must respond to an attestation or risk assessment. Users with the sn_grc.business_user role are provided limited access to information that is relevant to the tasks assigned to them. The sn_grc.business_user role is also used for integration scenarios between GRC and other ServiceNow products. For example, a Vulnerability Response user with the sn_grc.business_user role can request a policy exception from GRC: Policy and Compliance Management. Install and Upgrade Behavior Beginning with the GRC 11.x release there is a one-time activity during install or upgrade to assign the sn_grc.business_user role to users. This assignment occurs only once, so future product upgrades will not assign the role to additional users. The 11.0.3 and 11.1.0 version of the GRC:Profiles application adds the sn_grc.business_user role to all users in the sys_user table so that tasks that could be assigned to any employee, such as attestations, are still allowed. The 11.1.1 version of the GRC:Profiles application modifies the logic of the 11.0.3 and 11.1.0 versions to apply the sn_grc.business_user role only to users that have performed a GRC operation in the past 90 days. The 12.x versions of GRC:Profiles use the same logic as the 11.1.1 version to add the sn_grc.business_user role only to users that have performed a GRC operation in the past 90 days. The Quebec platform release through patch 3 includes GRC:Profiles 11.0.3. Quebec patch 4 and later includes GRC:Profiles 11.1.1. Recommendation: the 12.x version of GRC applications are compatible with the Quebec platform so they are recommended for the latest features and fixes. Alternatively, version 11.1.1 of GRC:Profiles can be installed via Quebec patch 4 or later. Skip Role Assignment on Upgrade For the 12.x version of GRC, you can skip the automatic assignment of the sn_grc.business_user role by enabling the property skipBusinessUserUpdate = true in global scope prior to upgrading. If you skip the GRC Business User group population, both the group and the role are still created. The group will be empty after upgrade and the role not assigned to any users. You can manually add users to the GRC Business User group at any time to give them the sn_grc.business_user role. Manage Role Assignment The sn_grc.business_user role is assigned to all users that belong to the GRC Business User group. You can add or remove users from the group to grant or remove the sn_grc.business_user role. If you want to remove the sn_grc.business_user role from all users, follow the instructions in KB0997157 . Frequently Asked Questions If I installed version 11.0.3 or version 11.1.0 of GRC:Profiles and users have been assigned the sn_grc.business_user role, will the role be removed from those users if I upgrade to Quebec patch 4 or GRC:Profiles 12.x? After a user has been assigned the sn_grc.business_user role, the role is not removed by upgrading the version of GRC:Profiles. Follow the instructions in the "Manage Role Assignment" section of this article to remove the sn_grc.business_user from user accounts if needed. If I upgrade directly to Quebec patch 4 or newer from an older platform release, which logic for populating the sn_grc.business_user role will I get? Quebec patch 4 and newer includes version 11.1.1 of GRC:Profiles. Only users that have performed a GRC operation in the past 90 days are assigned the sn_grc.business_user role. GRC Business User Role Permissions Consult the product documentation for the current permissions available to users with the sn_grc.business_user role. The following is a snapshot of permissions as of the 14.x release. Policy and Compliance Management Take an attestationGroup and ungroup attestationsView policiesView control objectivesAcknowledge policiesUpdate policy as a contibutor through Office 365 integrationRequest policy exceptionsApprove policy exceptions if requested by the intital approver or reviewerReport issuesSubmit issue triage requestsAssigned remediation tasksAssigned issuesRespond to observationsRespond to evidence request tasksApprove evidence request tasks if requested by respondentView indicator supporting dataAssigned indicator tasks Risk Management Take risk assessmentAssigned risk response taskRespond to risk identification questionnaireRespond to metrics data taskView risk statementsView risk assessment scope Approver and assessor of Advanced risk assessment ***View and report risk eventsAssigned risk event tasksView indicator supporting dataRespond to indicator tasksReport issuesSubmit issue triage requestsAssigned remediation tasksAssigned issues Integration with Project Portfolio Management View Project Risk Overview DashboardCreate new project risk from risk libraryElevate project risk to enterprise riskInitiate risk assessment *** Approver and assessor of Advanced risk assessment requires the sn_risk_advanced.ara_assessor and sn_risk_advanced.ara_approver roles beginning with GRC: Advanced Risk 14.1.2