<h2>Common roles in Governance, Risk, and Compliance</h2><br/><div style="overflow-x:auto"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta content="text/html; charset=UTF-8" /><meta name="copyright" content="(C) Copyright 2024" /><meta name="DC.rights.owner" content="(C) Copyright 2024" /><meta name="generator" content="DITA-OT" /><meta name="DC.type" content="reference" /><meta name="DC.title" content="Common roles in Governance, Risk, and Compliance" /><meta name="abstract" content="Certain common roles are used in multiple GRC modules." /><meta name="description" content="Certain common roles are used in multiple GRC modules." /><meta name="DC.relation" scheme="URI" content="../../../product/grc-common/concept/common-grc-features.html" /><meta name="DC.relation" scheme="URI" content="../../../product/grc-common/reference/r_WhatIsGRC.html" /><meta name="DC.creator" content="ServiceNow" /><meta name="DC.date.created" content="2022-08-04" /><meta name="DC.date.modified" content="2022-08-04" /><meta name="DC.format" content="XHTML" /><meta name="DC.identifier" content="grc-common-roles" /><link rel="stylesheet" type="text/css" href="../../../CSS/commonltr.css" /><title>Common roles in Governance, Risk, and Compliance</title></head><body id="grc-common-roles"> <div class="breadcrumb"><a class="link" href="../../../product/grc-common/reference/r_WhatIsGRC.html" title="Respond to business risks in real time. Connect security and IT with an integrated risk program offering continuous monitoring, prioritization, and automation.">Governance, Risk, and Compliance</a> > </div> <h1 class="title topictitle1" id="ariaid-title1">Common roles in <span class="ph">Governance, Risk, and Compliance</span></h1> <div class="body refbody"><p class="shortdesc">Certain common roles are used in multiple <span class="ph">GRC</span> modules.</p> <div class="section" id="grc-common-roles__section_bqv_djm_nnb"> <div class="p"> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="grc-common-roles__table_cqv_djm_nnb" class="table" frame="border" border="1" rules="all"><caption><span class="tablecap"><span class="table--title-label">Table 1. </span>Common roles</span></caption><colgroup><col style="width:33.33333333333333%" /><col style="width:33.33333333333333%" /><col style="width:33.33333333333333%" /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="text-align:left;vertical-align:top;" id="d62282e61">Role title [name]</th><th class="entry cellrowborder" style="text-align:left;vertical-align:top;" id="d62282e64">Description</th><th class="entry cellrowborder" style="text-align:left;vertical-align:top;" id="d62282e67">Contains roles</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Business User<p class="p">[sn_grc.business_user]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">This role is a part of the <span class="ph">GRC</span> Profiles application. It should be assigned to users who require access only to <span class="ph">GRC</span> applications in the context of performing tasks assigned to them. For example, a business user who needs to respond to an attestation or risk assessment, or who needs to remediate an issue may require this role. Users with this role are provided with limited access to data and to information relevant to their assigned tasks. <p class="p">Starting with the 14.x release, the following permissions are available to the users with the sn_grc.business_user role:</p> <div class="p">Policy and Compliance Management<ul class="ul" id="grc-common-roles__ul_yhl_kmh_gtb"><li class="li">Accept work and approve evidence responses.</li><li class="li">Assign remediation task.</li><li class="li">Acknowledge policies.</li><li class="li">Contribute to policies.</li><li class="li">Group and ungroup attestations.</li><li class="li">Request and approve policy exceptions.</li><li class="li">Report issues.</li><li class="li">Respond to observations.</li><li class="li">Submit and request issue triages.</li><li class="li">Take attestation.</li></ul> </div> <div class="p">Risk Management<ul class="ul" id="grc-common-roles__ul_fbk_pmh_gtb"><li class="li">Assign indicator tasks.</li><li class="li">Assign issues.</li><li class="li">Assign remediation tasks.</li><li class="li">Assign risk event tasks.</li><li class="li">Assign risk response tasks.</li><li class="li">Approve and assess Advanced risk assessment.</li><li class="li">Respond to indicator tasks.</li><li class="li">Respond to risk identification questionnaire.</li><li class="li">Respond to metrics data task.</li><li class="li">Report issues.</li><li class="li">Submit issue triage requests.</li><li class="li">Take risk assessment.</li><li class="li">View risk assessment scope.</li><li class="li">View risk statements.</li><li class="li">View risk assessment scope.</li><li class="li">View and report risk events.</li><li class="li">View indicator supporting data.</li></ul> </div> <div class="p">Integration with Project Portfolio Management <ul class="ul" id="grc-common-roles__ul_gpq_rmh_gtb"><li class="li">Create risk from library.</li><li class="li">Elevate enterprise risk.</li><li class="li">Initiate object assessment.</li><li class="li">View the Project Risk Overview Dashboard.</li></ul> </div> <p class="p">During a GRC: Profiles upgrade to either version 11.X or 12.x, users who have previously performed a GRC operation in the past 90 days are automatically assigned the GRC Business User role. This is a one-time event. The group and role are assigned once during the 11.x or 12.x upgrade.</p> <div class="p">For more information on the GRC Business User role, see <a class="xref" href="https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0864247" target="_blank" rel="noopener noreferrer">KB0864247</a>.<div class="note"><span class="notetitle">Note:</span> You must log in to <span class="ph">Now Support</span> to view the <span class="ph">Knowledge Base</span> articles.</div> </div> <div class="note"><span class="notetitle">Note:</span> Manage who can access your <span class="ph">GRC</span> records with the <span class="ph">GRC</span> user roles. Earlier, your users with the snc_internal role could also access the <span class="ph">GRC</span> records. As part of the security updates, each <span class="ph">GRC</span> application has modified access control lists (ACLs) where access to the <span class="ph">GRC</span> records is restricted only to the users with the <span class="ph">GRC</span> roles.</div> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_cjg_zdy_ctb"><li class="li">sn_grc.user_hierarchy_reader</li><li class="li">workspace_user</li><li class="li">sn_grc_workspace.task_reader</li><li class="li">canvas_user</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Business User – Lite <p class="p">[sn_grc.business_user_lite]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Users with this role can perform only a subset of the tasks that can be performed by the sn_grc.business_user. This role is applicable only for customers who have purchased the ‘Risk Lite Operator’ licence and installed the GRC: Business User – Lite application from the <span class="ph">ServiceNow Store</span>. Risk Lite Operators are users who have the right to perform only one or more of the listed operations. The users with this role can perform the following activities:<ul class="ul" id="grc-common-roles__ul_yrq_gg2_vtb"><li class="li">Read and update policy acknowledgment, control attestation, issues assigned to them, remediation task, and evidence request.</li><li class="li">Report and read issues submitted, risk events, and policy exceptions.</li></ul> <div class="p">Risk Management<ul class="ul" id="grc-common-roles__ul_rss_1rg_cyb"><li class="li">Approve advanced risk assessments.<div class="note"><span class="notetitle">Note:</span> To enable lite operators to approve advanced risk assessments, the administrator must manually add the sn_risk_advanced.ara_approver role to GRC: Business User Lite.</div> </li><li class="li">Respond to risk response tasks.</li><li class="li">Approve risk response tasks.</li><li class="li">Review, approve, or reject a risk event.</li><li class="li">Respond to a risk identification questionnaire.</li><li class="li">Update any assigned risk event task.</li><li class="li">Review and respond to the metrics data tasks.</li></ul> </div> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_scs_dgf_wtb"><li class="li">sn_grc_workspace.task_reader</li><li class="li">canvas_user</li><li class="li">sn_grc.user_hierarchy_reader</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Admin<p class="p">[sn_grc.admin]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides administrative access to the GRC suite of applications and modules.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_z1m_kls_ctb"><li class="li">business_process_admin</li><li class="li">sn_grc.user_hierarchy_admin</li><li class="li">sn_grc_workspace.task_admin</li><li class="li">sn_grc.manager</li><li class="li">sn_data_registry.admin</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC System Admin<p class="p">sn_grc.sn_grc_system_admin</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">This role is a system role for running scheduled jobs. This role is equivalent to the System Administrator role. For example, if you want to run a scheduled job for policy acknowledgment, you can set up the system to run the job as <span class="ph">GRC</span> Admin.<div class="note"><span class="notetitle">Note:</span> This role is not assigned to a person. It is a technical backend role that is used for running the scheduled jobs.</div> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_t5t_sdy_ctb"><li class="li">admin</li><li class="li">import_admin</li><li class="li">sn_grc.admin</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Reader <p class="p">[sn_grc.reader]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides read access to the <span class="ph">GRC</span> suite of applications and modules.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_gjh_lms_ctb"><li class="li">pa_viewer</li><li class="li">cmdb_read</li><li class="li">sn_data_registry.reader</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Manager <p class="p">[sn_grc.manager]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides management access to the <span class="ph">GRC</span> suite of applications and modules.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_is3_pms_ctb"><li class="li">sn_grc.user</li><li class="li">business_process_manager</li><li class="li">cmdb_query_builder_read</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC User <p class="p">[sn_grc.user]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides access to the <span class="ph">GRC</span> suite of applications and modules.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 "><ul class="ul" id="grc-common-roles__ul_vcj_vms_ctb"><li class="li">sn_grc.reader</li><li class="li">business_process_user</li><li class="li">sn_grc_pa.sn_grc_pa_viewer</li></ul> </td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Developer<p class="p">[sn_grc.developer]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides the ability to perform script-based work such as, write scripted factors, scripted formulae for advanced risk assessment, scripted indicators, and so on in <span class="ph">GRC</span></td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 ">sn_grc.admin</td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC Confidential User<p class="p">[sn_grc.confidential_user]</p> </td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides access to the <span class="ph">GRC</span> confidential records.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 ">None</td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC User Hierarchy Reader [sn_grc.user_hierarchy_reader]</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Provides read access to the records in the sn_grc_user_hierarchy table.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 ">None</td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">GRC User Hierarchy Admin [sn_grc.user_hierarchy_admin]</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Users with this role can create and delete the records in the sn_grc_user_hierarchy_configuration table.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 ">None</td></tr><tr class="row"><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e61 ">Workspace task reader [sn_grc_workspace.task_reader]</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e64 ">Users with this role can read the records in the configuration tables such as tab configuration, applicable tables, and so on.</td><td class="entry cellrowborder" style="text-align:left;vertical-align:top;" headers="d62282e67 ">None</td></tr></tbody></table> </div> </div> </div> </div> <div class="related-links"> <div class="familylinks"> <div class="parentlink"><strong>Parent Topic:</strong> <a class="link" href="../../../product/grc-common/concept/common-grc-features.html" title="Each of the four main Governance, Risk, and Compliance applications have unique features and capabilities. Additionally, there are many features that are common to all GRC applications.">Common GRC features</a></div> </div> </div></body></html></div>