Error: Execute operation on script include ‘todoPageUtils’ from scope ‘GRC: Risk Management’ was denied. The application ‘GRC: Risk Management’ must declare a cross scope access privilege. Please contact the application admin to update their access requests.
How to fix this issue?
Go to “Application Restricted Caller Access” (sys_restricted_caller_access) table
Change status to “Allowed”.
* Make sure you’ve captured the entry into your update set.
If you’re just starting your Next Experience journey, then you’ve come to the right place. This guide (Next Experience Quick Start Guide – ServiceNow Community) will help you understand what Next Experience is, how it works in tandem with our Workspace UI, and is a great place to return to as our products evolve over time.
Before you get started
Before you get started with Next Experience, check and consider the following documentation:
ServiceNow did an amazing job introducing workspace into our world, the links above are kind of live savers, they are so well documented full of best practises, recommendations and tips.
Current scenario
I am going to improve the “Response Tasks” on the Risk Portal. This our view from the backend (https://instance.service-now.com/nav_to.do?uri=sysapproval_approver.do?sys_id=0f676330db361d1021e7dd18f496195d). We have 2 OOB UI actions for record manipulation (“Update” and “Delete”) and 2 UI actions to update the state (“Approve” and “Reject”).
This is our current view on Risk Portal (https://instance.service-now.com/now/risk/portal/record/sn_risk_response_task/809623fcdbf21d1021e7dd18f496198a/sub/record/sysapproval_approver/0f676330db361d1021e7dd18f496195d). We still have the OOB UI actions, but we are missing the 2 UI actions to update the state.
Steps
Inspect the UI action “Approve” button to get the gsft_id.
Clone the UI action for “Approve” and “Reject”.
Create UX Form Action “Approve” and “Reject” and pointed to our custom UI actions. All these actions should be pointing to the sysapproval_approver table.
Create a UX Form Action Group (or UX Actions Layout Group) called “approval actions” where type = Split Button and actions are Approve and Reject.
In the UX Form Action Group record related items, create a new UX Form Actions Layout (sys_ux_form_action_layout_item) record. I named “Approval Actions” and this is responsible to display the button in the form.
Through the related lists of the UX Form Layout Item record, create a new Action Layout record. Focus on the “Action Layout Items”, that’s the most important thing here. This connection must exist.
The result will be:
Summary
The link How to use UI Actions in Workspaces – ServiceNow Community and Introduction to Declarative Actions – ServiceNow Community gave me enough to follow the breadcrumb trail and yes workspaces can be ready. We have few fields missing in the forms (we just need to update the view) and sometimes the UI actions do not behave the same but after few smoke tests the workspace can be ready. This is the perfect time to avoid lift and shift. This is a great o opportunity to re-imagine and improve the experience.
Bottom line is UI Actions are supported in both agent and configurable workspaces, but only in limited areas, such as the Action Bar component which is provided by default on the out-of-the-box record page. This means that UI Actions are only supported on forms in workspaces and not lists.
ServiceNow introduced a new concept called “Declarative actions”. What are they? Declarative actions are similar to platform UI Actions to add buttons on a form, etc. UI Actions are only exposed in the Action Bar component in Workspace, etc. experiences so the use cases are limited. Declarative Actions can be used in the Action Bar component on a record, related lists, lists, etc. without having to modify the page in UI Builder itself. By using Declarative Actions and not adding buttons to a page in UI Builder, you are making your upgrade experience better as Declarative Actions do not customize an OOTB UI Builder page. Instead, by creating Declarative Actions you are creating the necessary records needed in your own app scope.
It’s time to get your Hack-on because Hacktoberfest starts October 1st! Chuck, Earl and Lauren kicked off the event, you can watch Hacktoberfest – Live Coding Happy Hour 2022-09-30 – YouTube to know how to get your t-shirt. Every year they encourage ServiceNow Developers to participate in DigitalOcean’s Hacktoberfest event by contributing to a ServiceNow project or repository.
The more the community is equipped, the more that community can contribute.
The more you get used to source-controlled projects, the more you can contribute to any number of open-source projects.
You get a free t-shirt (the t-shirt also comes with bragging rights)!
Contributors will earn points toward qualifying for next year’s Developer MVP program.
Some projects will have immediate benefit to the Developer community
WHO CAN PARTICIPATE?
Everyone! Whether you’re new to ServiceNow, a low-code developer, a business analyst, or a full-stack engineer, anyone is allowed to participate! Every year we are trying to make it even easier to participate!
SERVICENOW AND THE FUTURE OF SOURCE CONTROL
As we transition managing development on ServiceNow away from using update sets towards using source control integration with git, it’s becoming more important for ServiceNow developers to have an understanding of how version control software like GitHub works.
Especially in our low-code interfaces like App Engine Studio, a common way for users to share apps will be through source control. So this is a great way to dip your feet into how source controling apps works!
In the repository, fork the repo to create your own version of the repository
Follow the guidelines listed in the CONTRIBUTING.md in each repository
For some repos, you’ll want to create a new branch
For some repos, you’ll pull the application repo into your ServiceNow instance
Once you finish your updates, commit them to your branch.
Open a pull request to the original repo (make sure to check the CONTRIBUTING.md file for details)
Let the Hacktoberfest 2022 begin
MY PARTICIPATION
Update 01/10/2022
Last year I was focused on snippets scripting and this year I want to explore a different topic. If you are following the Hacktoberfest 2022 (servicenow.com) blog post, there are multiple projects ServiceNow are encouraging participation in.
One of them is “NEXT EXPERIENCE RECIPES APP”. The idea is pretty simple, it’s to enhance a two-page recipe portal that lets you search and view recipes. What if you could rate or comment on the recipe, send a survey, track variations, etc. Also, if you make a change, go ahead and add a new recipe to the app for everyone. Additionally, if you want to know how to build this experience from scratch, check out CCL1072.
Go to Credentials and create a new Basic Auth Authentication. The user will be your GitHub username and for security reasons you need to generate a personal token for your password.
Go to System Applications => Studio
Once Studio loads, select Import From Source Control
A new version of the GRC plugins were published on the store, upgraded from version 14 to 15.
Plugin
Latest known version
Publish date
Compatibility
Release notes
GRC: Profile
15.0.3
Aug 04, 2022
RomeSan DiegoTokyo
NewAbility to have entity class rule based on a condition builderSync entity owner field to associated risks and controlsChangedsn_grc.reader role does not contain sn_grc.business_user role.sn_grc.user will contain sn_grc.business_user role.FixedIn child tables, the attachment option is accessible for non-confidential usersScript error coming from indicator_static_support_data_taskTypographical error in OOB GRC business rule script error messageGRC Developer role description must be updatedThe security-related properties under GRC Properties are not coming in orderThe user is also able to read the data of the parent user group when access groups are set as the child user groupACL added by the GRC: Profiles plugin is breaking the visibility of Information Objects in APMAll sys metadata tables required the update_sync attribute
GRC: Audit Management
15.0.2
Aug 04, 2022
RomeSan DiegoTokyo
NewCategorize Audit Engagements, Audit Tasks, Control Tests, etc. based on Functional Domains like IT Compliance and Risk, Privacy, etc.FixedWhen an Engagement is Closed Incomplete, related Control Tests are still Open.Audit Manager should not be allowed to Close an Engagement when related Tasks are Open.When we create a test template, unable to select the Control Objective field values which have lengthier display names.Security constraints on Client Callable script includes.When an Engagement is created from Entity form, newly created Engagement is not coming up in Downstream Engagements of Entity.
GRC: Advanced Risk Assessment
15.0.1
Aug 04, 2022
RomeSan DiegoTokyo
NewAssessors can evaluate controls by design and operational effectivenessFixedTranslation-related bug fixes
GRC: Common Workspace Elements
15.0.5
Aug 04, 2022
RomeSan DiegoTokyo
NewCategorize GRC Objects based on Functional Domains like IT Risk and Compliance, Privacy, etc.FixedTasks page — Tool tip of dropdown in “My group tasks” tab showing null Breadcrumbs aren’t showing the exact navigation in employee center when navigating to record from list view
GRC: Policy and Compliance Management
15.0.1
Aug 04, 2022
RomeSan DiegoTokyo
NewPerform Advanced Risk Assessments on Policy Exceptions.Categorize Compliance Objects like Policies, Authority Documents, Control Objectives, Citations, Controls, etc. based on Functional Domain like IT Compliance and Risk, Privacy, etc.The compliance Manager/Compliance Analyst should be able to reuse existing Evidences collected on other GRC objects.ChangedRole hierarchy changes: GRC Reader role will not be part of the Business User role. Changed all the ACLs, Modules, etc. accordingly.Added Expired substate for Closed Policy Exceptions to indicate Policy Exception is Approved and Valid to date has crossed.Reason code can be modified after Policy Exception is Approved.Policy Exceptions submitted from Service Portal or Employee Service Center should go through Verification Approvals when Verification Rule is configured.The Requester should be able to extend Policy Exception more than once based on a configuration property.FixedLocalization issues.Incorrect due date on Policy Acknowledgements.Manually Retired controls are moved to Draft state when the Policy is published.States in which Controls are considered to be Active.On Impacted Controls for Policy Exceptions: Add/Add all buttons are not coming up.On Controls, Open Issues are not updated when a new issue is created.Policy Exception is created even though Valid from and Valid to dates are the same.GRC Business user is able to move the policy exception to Analyze state even though verification approvals are configured.Description of auto-created Policy exception created from PACE exception is truncated.The Retire button should not be present on the KB article related to Policy.
I found an issue with you might not be aware but since most of the implementations are multi-language (i18n) I would like to highlight this topic to save time for the next one.
The ServiceNow platform supports multiple languages, using UTF-8 for international characters. Language support is available when at least one language plugin has been activated, as described in Activate a language.
According to ServiceNow,
“When a user logs in, the language for the instance session is determined by the following logic:
If the language selection at login is enabled, that language is used.
If not, the language preference selected using the language picker in the header bar is used.
If not, the language setting in the User [sys_user] table is used.
If none of the above are true, the system default language is used.
Some areas of the system are not translated, including journal fields, report titles, and any field that stores free-form text. These fields remain in the language used to create them. When creating a custom field, you must add the labels in the Field Label table because they are not added automatically.”
But.. the translation is not as black and white as it is being presented.
I found that the Risk Criteria field (out of the box its a translated field) lost his sorting capability on a list view or on a list report when we have more than one language set on the system. By checking the dictionary entry, I was able to check only the English label has been created for the field and said so, you are only able to sort the column if your user language is in English.
As you can notice, the order of the records is not affected when I try to sort the column by ASC or DESC:
To solve the issue,
Go to System Localization > Translated Name/Fields.
Create an entry for each Risk Criteria (sn_risk_criteria) available according to your language.
Voila, problem solved – try to use the sorting again, now you should be able to sort your columns.
If you haven’t used the new feature Policy and Compliance Integrator, roll your sleeves up – this is a game changer. Forget about transform maps to import Authority Documents, Citations and Control Objectives, this scripted REST api will do everything for you.
Go to Postman and create a new collection called “CIM API Collection”.
In the tab “Variables”, create a new variable inside the collection called “instance” with value “https://YOUR_INSTANCE.service-now.com”
In the tab “Authorization”, set up your REST api user and password. Dont forget in order to create new batches you need to be a compliance admin.
Go to sn_grc_provider table and create a new provider called “communityProvider”. If you don’t do it, when you create a batch it will create a new Provider import task and you need to complete few more steps in order to get the new provider generated.
Create a new POST method called “Create batch” with the following URL{{instance}}/api/sn_grc_cim/content/compliance/batch/create The body should be something like this:
Save the batch number because you are going to use it to create staging records or any interaction with the API.
Step 2 – Create the staging records
Go to Postman and inside your collection “CIM API Collection” create a new method called “Insert stagging records” with the following URL: “{{instance}}/api/sn_grc_cim/content/compliance/insert”
The body should contain something like this: {"batch_number":"CIB0001008", "records": [{ "document_id": "123456789", "name": "GRC Authority Document api", "description": "GRC Authority Document API", "citations": [{ "document_id": "123456789", "name": "GRC Citation api", "control_objectives": [ { "document_id": "123456789", "name": "GRC Control Objective api" } ] }] }]}
This code will generate one AD, one citation and one control objective.
3. Update batch to ready
Go to Postman and inside your collection “CIM API Collection” create a new method called “Update batch status to ready” with the following URL: “{{instance}}/api/sn_grc_cim/content/compliance/batch/ready”
The body should contain something like this:
{
"batch_number": "CIB0001008"
}
The end result should be something like this:
3. Kick process, review task and complete process
After this moment you need to kick the process by going to the Flow Designer, search for “Compliance staging processor” and run. Check the flow designer how often this process runs. Out of the box this runs weekly basis, every Monday. A new import task will be created after the flow has been executed.
Go to “Library import task” and review the staging records if necessary. At this stage, you can add an approver, or approver group, etc etc.
The new authority document with citations and control objectives will be created when the import task is completed.
If you need anything, please let me know and I can share the Postman collection to save you some time.
It’s that time of year again! Every year we encourage ServiceNow Developers to participate in DigitalOcean’s Hacktoberfest event by contributing to a ServiceNow project or repository.
The more the community is equipped, the more that community can contribute.
The more you get used to source-controlled projects, the more you can contribute to any number of open-source projects.
You get a free t-shirt (the t-shirt also comes with bragging rights)!
Contributors will earn points toward qualifying for next year’s Developer MVP program.
Your code snippets have the possibility of being published in ServiceNow docs. (Be sure to check out the Code Example Program post!)
Participants have the chance to win prizes.
WHO CAN PARTICIPATE?
Everyone! Whether you’re new to ServiceNow, a low-code developer, a business analyst, or a full-stack engineer, anyone is allowed to participate! This year we made it easier than ever to participate!
The ServiceNow Developer Advocates used to pick one thing to tackle each year but this time around we have five ways for you to contribute (all optional)! We hope that with so many options, you will be able to participate in some way and not feel left out.
Next watch this video on pull requests:
5 WAYS TO CONTRIBUTE
There are five projects we are encouraging participation in. To finish your Hacktoberfest goal:
You must make four approved pull-requests between October 1 and October 31, 2021.
These four pull-requests can be spread out across multiple projects or can all be for one project.
From experience, you are more likely to get the t-shirt size you want the earlier you complete the goal! So get to work!
I was trying to search for comments or posts around this plugin upgrade version (11.0.3) but it seems it did slipper somehow.
ServiceNow introduced the new role “GRC Business User” in the latest release (11.0.3) and added to all users in the system. Yes, there is no way to stop that to happen (I raised a hi ticket) but there is a KB article that explains the reason behind this change and helps you to rollback this change in case: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0864247
GRC Business Users
The Governance, Risk, and Compliance (GRC) product line requires action from many users who do not have a traditional product role, such as Compliance Reader or Risk Reader. Even the reader roles allow access to the product module, dashboard, reports, and read-only table access.
To improve the internal security of the product, we created a dedicated GRC Business User role. This role should be assigned to users who require access only to GRC applications in the context of performing tasks assigned to them; for example, a business user who needs to respond to an attestation or risk assessment. Users with the GRC Business User role are provided limited access to data and to information relevant to the tasks assigned to them.
The number of users assigned to the GRC Business User role does not impact product licensing. Product licensing is based on the number of users that perform GRC operations as opposed to the number of users with a role that allows access to GRC operations.
Important note: To keep the product behavior consistent on upgrade, we initially assign the GRC Business User role to all users in the sys_user table by adding them to the GRC Business Users group. We do this to match the previous product behavior that tasks such as attestations can be assigned to any internal employee. You can remove users from the GRC Business User role to restrict access for specific users.
I have improved ootb script to be more defensive and used an on demand schedule job to avoid to get the process hang during execution. That way the process would not be associated to an UI session and would run in the background without interruptions.
Please use below script to delete all users from GRC Business Users group :
Steps:
1. Create a fix script called “Remove GRC Business User to all users” Application: GRC: Profile Script:
var rec = new GlideRecord('sysauto_script');
rec.get('name', 'remove_users_to_grc_business_group');
gs.executeNow(rec);
2. Create a Scheduled Execution Job (sysauto_script) called “remove_users_to_grc_business_group“
Application: GRC: Profile
Run as: Administrator
Run: On Demand
Script:
var grGroup = new GlideRecord('sys_user_group');
if (grGroup.get('053cd11a5bda50106d8012300a81c721')) // ensure the group exists and we do not skip the addQuery condition
{
var grMember = new GlideRecord('sys_user_grmember');
grMember.addQuery('group', '053cd11a5bda50106d8012300a81c721');
grMember.query();
gs.info("KB0864247 - There are " + grMember.getRowCount() + " members of the GRC Business Users group");
while(grMember.next())
{
gs.info("KB0864247 - We are deleting user: " + grMember.user.getDisplayValue() + " - from the group: " + grMember.group.getDisplayValue());
grMember.deleteRecord();
}
}
3. Execute the fix script.
If you have any questions, please let me know! Happy GRCommanding
"Being a Jedi is not just about power, or lightsabers, or even skill with the Force. It is about connection. Being part of something bigger. I am stronger as part of the Jedi Order than I could ever be alone."
