GRC Domain Separation Strategy Useful material to know more about domain separation: Know more What are we solving? Consider a Managed Service Provider (MSP), that owns a ServiceNow Instance. In the diagram below, the MSP is sharing the instance with three different organizations: ACME, Cisco, and Initech. Imagine the Risk Manager at ACME creates an entity type (ACME ET) to track high-priority incidents within their organization. The expected behavior is that, as part of supporting continuous monitoring, our GRC: Profile Generation job should be executed and should qualify and generate entities from the ACME organization only. Currently, the job qualifies all the entities across the three organizations. The GRC: Profile Generation job also generates objects such as Risks, Controls, etc., according to the Entity Type Setup. Root cause: A scheduled job acquires the domain depends on one of the following cases: If the job is executed, with run as User, it takes the domain of the User.If ServiceNow’s domain iterator is configured, it will take distinct domains present in the domain source table configured and starts the job in those domains.If neither of the above cases is satisfied, then it will take Global domain. Two important facts about objects in Global domain are: The Global domain can access data from all other domains.Data in the global domain can be accessed by everyone across all domains. From the above diagram, there are 10 high P1 incidents in each domain. When the GRC Profile Generation job runs, it might cause the following problems: The job will qualify all 30 incidents and create 30 entities instead of 10 entities. This is because the job runs in the global domain, allowing it to access data across all domains, query all incidents, and create entities accordingly. Any other objects, such as risk or control, that do not have domain assignment logic and are created through this job will be created in the global domain. The above problems have been identified as part of customer case tasks and creating entities on records of Cisco and Initech and placing it inside ACME is a problem that needs to be solved along with assigning other objects to correct domains. Solution: To solve this problem, we suggest enabling Domain Iterator flag, and the GRC profile generation job will derive domain from the Entity type table. After enabling this flag, this job gets invoked N times, where N equals to the number of distinct domains in Entity type table. As this job runs for each domain, it will pick data from its own domain, and it will not have access to data from other domains. After running Profile Generation job, only 10 entities will be created and placed within the ACME Domain. We are also introducing new business rules for GRC Objects. These rules will ensure that newly created objects are placed correctly within their domains, but not during updates. Business Rule Naming Convention: Domain - <Action> - <Applicable Object> Example BR Name: Domain – Set Domain - Entity Note: These business rules are given the highest order to override any existing domain assignment custom logic implemented by customers in their instances. If you don’t want our business rules to override, we recommend customers to disable the new business rules and implement their own logic for domain assignment. Below is the list of objects that are generated through Profile Generation job and have Existing and New logic for deriving domain for the objects. Label Before June release – Old logic After June release – New logic Domain Assigned From Entity Entity Type Applies to record Entity to Entity Type Entity Type Entity Type Entity To Information Object Global Entity Indicator Indicator Template Indicator Template Issue Global Risk or Control Risk Entity Entity Risk to Control Global Risk Control Entity Entity Basel Reports Global Risk Event Risk Assessment Global Risk Risk to Control Global Risk Rollup Result Global Risk Assessment Entity Type to Risk Statement Global Risk Statement Risk Identification Global Entity Type Compliance score Global Entity Type Inherited requirement Global Entity Type Control to Control requirement Global Entity Type Control requirement Global Entity Type Control to entity Global Entity Type After implementing the above approaches, GRC Objects will get domain assigned per the following diagram: New Domain Assignment logic impact on customers: Earlier, Entities were assigned with Entity Type’s domain. Post June release, they will be assigned with ‘Applies to’ record domain.Business rules introduced as part of this release can override any existing logic implemented in customer instances for Domain Separation.If a customer modifies the GRC Profile Generation job, then domain iterator changes will not be applied, and entities will not be generated. We advise customers to manually enable domain iterator as described in the above screenshot of the GRC Profile Generation Job. Check the following table to understand when and where the new logic is effective. Note: New logic applies only when creating new objects, not when updating existing ones. Acronyms: NC – No Change NLA – New Logic Applied Impact on New Before June 2024 version After June 2024 Release - OOB After June 2024 Release: Disable New BRs & Domain Iterator Non domain separated customers Domain separated customers Non domain separated customers Domain separated customers Non domain separated customers Domain separated customers Entity NC NC NC NLA NC NC Risk NC NC NC NLA NC NC Control NC NC NC NLA NC NC Issue NC NC NC NLA NC NC Item Assessment NC NC NC NLA NC NC Entity to Entity Type NC NC NC NC NC NC Entity To InformationObject NC NC NC NLA NC NC Control Objective NC NC NC NC NC NC Indicator NC NC NC NC NC NC Basel Reports NC NC NC NLA NC NC Risk Assessment NC NC NC NLA NC NC Risk to Control NC NC NC NLA NC NC Rollup Result NC NC NC NLA NC NC Entity Type to Risk Statement NC NC NC NLA NC NC Risk Identification NC NC NC NLA NC NC Authority document NC NC NC NC NC NC Citation NC NC NC NC NC NC Control objective NC NC NC NC NC NC Policy NC NC NC NC NC NC Indicator NC NC NC NC NC NC Limitations: The new domain separation logic applies to records created after the upgrade. This logic doesn’t apply to the existing customer data.Cascading domain update is not supported. For example, if the domain of an Entity changes from ACME to Cisco, that change will not be propagated to its downstream objects such as, Risks, Controls, and their downstream objects. This is a conscious decision made to avoid any performance implications and will be addressed in the future.These business rules override any existing domain assignment logic implemented by the customer in their instances. Therefore, we recommend turning off these business rules if customers want to create new rules or keep the existing ones working.If a customer modifies the GRC Profile Generation job, changes to the domain iterator will not be applied. We recommend customers to manually enable domain iterator as described in the above screenshot of the GRC Profile Generation Job. Guidelines: Follow the best practices of Domain Separation.It is best to use domain-separated tables as the target tables in Entity filters. This will ensure that GRC Domain Separation works properly, and entities will land in ‘applies to record’ domain. Otherwise, objects will be assigned to Default domain, requiring MSPs to manually reassign them to the correct domains.Keep all records in the table specific to a domain and avoid making any record global, as this can cause issues mentioned in the second point. For example, if a record's domain is global, entities for this record will be created in the default domain according to the logic. As entities are in the Default domain, then Entity to Entity Type relationship, Risks, Controls, or any other related objects will not be created, as the Default domain is not accessible to other domains.Keep related objects in the same domain. For example, if "Risk Statement" is in the parent domain and "Risk" is in the child domain, users in the child domain can see the "Risk," but the "Risk Statement" will appear empty since they don't have access to data in the parent domain.To enable the domain iterator, the Domain Separation plug-in should be installed.