There is an issue with the Smart Assessments on the Compliance Case Management when you try to use smart assessments in the Action Tasks – it’s returning an error: “Incorrect setup”. The assessment gets generated so it’s working as expected. When I try to initiate them, it returns me an error.
Official docs: https://www.servicenow.com/docs/bundle/yokohama-governance-risk-compliance/page/product/grc-compliance-case-mgmt/task/perform-smart-assessment-on-action-task.html
1. Go to the Assessment Workspace and configure/create a new assessment template called “My Questionnaire”. Assessment categories = Compliance Case Assessment Assessment targets = Compliance Case Assessment reader = sn_comp_case.compliance_case_business_user 2. Go to All > Case type 3. Open “Compliance Case” or any active case type record. 4. In the assessment configuration, use the “My Questionnaire”. 5. Go to the Compliance Case Workspace and open any record where type is “Compliance Case” 6. Create an Action Task and use smart assessment. 7. When you move the task to Assigned state, it will trigger the assessment. 8. Click in View Assessment and the issue will get displayed when you try to take the assessment.
How to solve it?
Create the smart assessment under the right scope (CCM) 🙂
Last year we showed everyone how easy it is to build an application on the #ServiceNow platform using App Engine Studio (AES).
This year the focus will be on the capabilities of #ServiceNowCreatorStudio – this tool is designed with non-developers in mind, offering a guided, intuitive environment for building request-based applications. It breaks down the traditional barriers to app development, making it accessible for business process experts to bring their automation ideas to life. This tool is not intended to replace existing development tools like App Engine Studio, but to complement them by providing a new entry point for app creation.
Transform your ideas into real-world solutions with #BuildWithCreatorStudio. Whether you’re new to ServiceNow, a low-code developer, a business analyst, or a full-stack engineer, anyone is allowed to participate. Ready to get creative and have some fun together? 😁
Join me this year for this exciting challenge. Rise to the #BuildWithCreatorStudio Challenge and earn exclusive swag!
In this snippet you will create a custom spider web using a custom page and populating data using Highcharts native library
Step 1: Create a new Widget
Go to Service Portal > Widget > Click New
Name: Custom productionProcess
Id: custom-gojs-productionProcess
Click on submit
Body HTML template
Copy and paste below HTML Code in Widget’s HTML Template section
<div>
<!-- chart -->
<div id="container"></div>
<p class="highcharts-description">
A spiderweb chart or radar chart is a variant of the polar chart.
Spiderweb charts are commonly used to compare multivariate data sets,
like this demo using six variables of comparison.
</p>
</div>
CSS/SCSS
Copy and paste below CSS in Widget’s CSS/SCSS Section
/* to be completed */
Client Side Scripts
Copy and Paste below Script in Widget’s Client Side Section
api.controller=function($rootScope, $scope, $window, $interval, spUtil) {
/* widget controller */
var c = this;
/** Chart source: https://www.highcharts.com/demo/polar-spider*/
var options = {
credits: {
enabled: false
},
chart: {
renderTo: 'container', // change chart_id if needed
polar: true,
type: 'line'
},
accessibility: {
description: 'A spiderweb chart compares the allocated budget against actual spending within an organization. The spider chart has six spokes. Each spoke represents one of the 6 departments within the organization: sales, marketing, development, customer support, information technology and administration. The chart is interactive, and each data point is displayed upon hovering. The chart clearly shows that 4 of the 6 departments have overspent their budget with Marketing responsible for the greatest overspend of $20,000. The allocated budget and actual spending data points for each department are as follows: Sales. Budget equals $43,000; spending equals $50,000. Marketing. Budget equals $19,000; spending equals $39,000. Development. Budget equals $60,000; spending equals $42,000. Customer support. Budget equals $35,000; spending equals $31,000. Information technology. Budget equals $17,000; spending equals $26,000. Administration. Budget equals $10,000; spending equals $14,000.'
},
title: {
text: 'Budget vs spending',
x: -80
},
pane: {
size: '80%'
},
xAxis: {
categories: ['Sales', 'Marketing', 'Development', 'Customer Support',
'Information Technology', 'Administration'],
tickmarkPlacement: 'on',
lineWidth: 0
},
yAxis: {
gridLineInterpolation: 'polygon',
lineWidth: 0,
min: 0
},
tooltip: {
shared: true,
pointFormat: '<span style="color:{series.color}">{series.name}: <b>${point.y:,.0f}</b><br/>'
},
legend: {
align: 'right',
verticalAlign: 'middle',
layout: 'vertical'
},
series: [{
name: 'Allocated Budget',
data: [43000, 19000, 60000, 35000, 17000, 10000],
pointPlacement: 'on'
}, {
name: 'Actual Spending',
data: [50000, 39000, 42000, 31000, 26000, 14000],
pointPlacement: 'on'
}],
responsive: {
rules: [{
condition: {
maxWidth: 500
},
chartOptions: {
legend: {
align: 'center',
verticalAlign: 'bottom',
layout: 'horizontal'
},
pane: {
size: '70%'
}
}
}]
}
};
/*Generate chart*/
var chart = new Highcharts.Chart(options);
/* improvements: next step would be to have a ng-selector in HTML and use record watcher to keep data up do date */
};
Step 2: Add native Highcharts library to your widget as widget dependencies
***Go to Service Portal > Widget ***
Search for your previous widget created “Custom Spider Web” (custom-spider-web) and open the record.
On the related tab Dependencies, click on Edit button.
Search for PA Widget (4fbe3df5673322002c658aaad485ef29) and add to your list.
Click on Save button to save the change.
Step 3: Create a new Page
Go to Service Portal > Page > Click New
Name: spiderweb – Test Page
ID: spiderweb
Click on Submit button.
Once submitted, Click on Open in Page Designer related link
In Page designer, Place custom-spider-web widget inside a container > row > Column at top location.
View paget from following link http://instance-name.service-now.com/sp?id=spiderweb.
Sources
Any of following links are not under my surveilance or maintenance
Governance, Risk, and Compliance, entities can be people, processes, departments, applications, or objects, whose exposure must be managed. These entities have controls that are defined to view the status.
To understand entities, consider the following example. Assume you are a new GRC user and you want to implement a change management process to all your critical financial systems. All the systems can be considered as individual entities. Map all the systems to an entity class called Financial. Have an entity type filter for critical financial systems to determine the systems that are identified as critical.
The primary benefit of creating entities is that you can maintain accountability because each entity has an owner. To understand this benefit, assume that you want to configure all the servers in a new way. After you finish the configuration, you perform an audit and then discover that only one server failed to comply with the new configuration. If you had not defined all the entities, then the entire audit result would have been deemed as failed. But because you have the entities defined, then only the non-compliant server entity and its identified owner are held accountable instead of all the servers.
Having defined entities ensures that the entity owners can be identified and that appropriate controls can be applied to those entities. It also helps in tracking the entities that are non-compliant. Any entity that has child entities can be said to have downstream entities. Any entity that has parent entities can be said to have upstream entities.
Take the following entity class model as example:
We have a Company that contains Departments that contains Business Services, Business Applications and Business Process. In GRC this are called “downstream entities”. This model is called “Dependency Model” and can be achieved by setting up the “Entity Class hierarchy”. You can visualise the model by accessing the “GRC Workbench”.
For this exercise, we will create 3 entities to match the above model and generate their respective risks.
Entity
Class
Wrangu
Company
Information Security
Department
Enterprise Risk Management
Business Process
List of entities
Risk
Entity
Statement
Disruption to the business due to critical infrastructure unavailability
Wrangu
Business Continuity and Disruption
Inability to retain key employees may result in the departments inability to achieve objectives.
Information Security
Loss of Key Personnel
Unauthorized actions have been detected
Enterprise Risk
Unauthorized actions
List of risks
Steps
Create a client callable script include called “GRCReporting” – make sure its you’ve checked the ‘Client callable’.
Copy the following code into it.
var GRCReporting = Class.create();
GRCReporting.prototype = Object.extendsObject(global.AbstractAjaxProcessor, {
getDownstreamProfileIDs: function(profileID) {
return new sn_grc.GRCProfileLists().getDownstreamProfileIDs(profileID);
},
type: 'GRCReporting'
});
Create your reports
Create a report against the Risk table (sn_risk_risk)
In the filter condition type the following “Entity > Sys Id” contains “javascript:new sn_grc.sn_grc.GRCReporting().getDownstreamProfileIDs(<Entity SysId>);”. In this example, I’ve used the entity Wrangu.
If you’re just starting your Next Experience journey, then you’ve come to the right place. This guide (Next Experience Quick Start Guide – ServiceNow Community) will help you understand what Next Experience is, how it works in tandem with our Workspace UI, and is a great place to return to as our products evolve over time.
Before you get started
Before you get started with Next Experience, check and consider the following documentation:
ServiceNow did an amazing job introducing workspace into our world, the links above are kind of live savers, they are so well documented full of best practises, recommendations and tips.
Current scenario
I am going to improve the “Response Tasks” on the Risk Portal. This our view from the backend (https://instance.service-now.com/nav_to.do?uri=sysapproval_approver.do?sys_id=0f676330db361d1021e7dd18f496195d). We have 2 OOB UI actions for record manipulation (“Update” and “Delete”) and 2 UI actions to update the state (“Approve” and “Reject”).
This is our current view on Risk Portal (https://instance.service-now.com/now/risk/portal/record/sn_risk_response_task/809623fcdbf21d1021e7dd18f496198a/sub/record/sysapproval_approver/0f676330db361d1021e7dd18f496195d). We still have the OOB UI actions, but we are missing the 2 UI actions to update the state.
Steps
Inspect the UI action “Approve” button to get the gsft_id.
Clone the UI action for “Approve” and “Reject”.
Create UX Form Action “Approve” and “Reject” and pointed to our custom UI actions. All these actions should be pointing to the sysapproval_approver table.
Create a UX Form Action Group (or UX Actions Layout Group) called “approval actions” where type = Split Button and actions are Approve and Reject.
In the UX Form Action Group record related items, create a new UX Form Actions Layout (sys_ux_form_action_layout_item) record. I named “Approval Actions” and this is responsible to display the button in the form.
Through the related lists of the UX Form Layout Item record, create a new Action Layout record. Focus on the “Action Layout Items”, that’s the most important thing here. This connection must exist.
The result will be:
Summary
The link How to use UI Actions in Workspaces – ServiceNow Community and Introduction to Declarative Actions – ServiceNow Community gave me enough to follow the breadcrumb trail and yes workspaces can be ready. We have few fields missing in the forms (we just need to update the view) and sometimes the UI actions do not behave the same but after few smoke tests the workspace can be ready. This is the perfect time to avoid lift and shift. This is a great o opportunity to re-imagine and improve the experience.
Bottom line is UI Actions are supported in both agent and configurable workspaces, but only in limited areas, such as the Action Bar component which is provided by default on the out-of-the-box record page. This means that UI Actions are only supported on forms in workspaces and not lists.
ServiceNow introduced a new concept called “Declarative actions”. What are they? Declarative actions are similar to platform UI Actions to add buttons on a form, etc. UI Actions are only exposed in the Action Bar component in Workspace, etc. experiences so the use cases are limited. Declarative Actions can be used in the Action Bar component on a record, related lists, lists, etc. without having to modify the page in UI Builder itself. By using Declarative Actions and not adding buttons to a page in UI Builder, you are making your upgrade experience better as Declarative Actions do not customize an OOTB UI Builder page. Instead, by creating Declarative Actions you are creating the necessary records needed in your own app scope.
A new version of the GRC plugins were published on the store, upgraded from version 14 to 15.
Plugin
Latest known version
Publish date
Compatibility
Release notes
GRC: Profile
15.0.3
Aug 04, 2022
RomeSan DiegoTokyo
NewAbility to have entity class rule based on a condition builderSync entity owner field to associated risks and controlsChangedsn_grc.reader role does not contain sn_grc.business_user role.sn_grc.user will contain sn_grc.business_user role.FixedIn child tables, the attachment option is accessible for non-confidential usersScript error coming from indicator_static_support_data_taskTypographical error in OOB GRC business rule script error messageGRC Developer role description must be updatedThe security-related properties under GRC Properties are not coming in orderThe user is also able to read the data of the parent user group when access groups are set as the child user groupACL added by the GRC: Profiles plugin is breaking the visibility of Information Objects in APMAll sys metadata tables required the update_sync attribute
GRC: Audit Management
15.0.2
Aug 04, 2022
RomeSan DiegoTokyo
NewCategorize Audit Engagements, Audit Tasks, Control Tests, etc. based on Functional Domains like IT Compliance and Risk, Privacy, etc.FixedWhen an Engagement is Closed Incomplete, related Control Tests are still Open.Audit Manager should not be allowed to Close an Engagement when related Tasks are Open.When we create a test template, unable to select the Control Objective field values which have lengthier display names.Security constraints on Client Callable script includes.When an Engagement is created from Entity form, newly created Engagement is not coming up in Downstream Engagements of Entity.
GRC: Advanced Risk Assessment
15.0.1
Aug 04, 2022
RomeSan DiegoTokyo
NewAssessors can evaluate controls by design and operational effectivenessFixedTranslation-related bug fixes
GRC: Common Workspace Elements
15.0.5
Aug 04, 2022
RomeSan DiegoTokyo
NewCategorize GRC Objects based on Functional Domains like IT Risk and Compliance, Privacy, etc.FixedTasks page — Tool tip of dropdown in “My group tasks” tab showing null Breadcrumbs aren’t showing the exact navigation in employee center when navigating to record from list view
GRC: Policy and Compliance Management
15.0.1
Aug 04, 2022
RomeSan DiegoTokyo
NewPerform Advanced Risk Assessments on Policy Exceptions.Categorize Compliance Objects like Policies, Authority Documents, Control Objectives, Citations, Controls, etc. based on Functional Domain like IT Compliance and Risk, Privacy, etc.The compliance Manager/Compliance Analyst should be able to reuse existing Evidences collected on other GRC objects.ChangedRole hierarchy changes: GRC Reader role will not be part of the Business User role. Changed all the ACLs, Modules, etc. accordingly.Added Expired substate for Closed Policy Exceptions to indicate Policy Exception is Approved and Valid to date has crossed.Reason code can be modified after Policy Exception is Approved.Policy Exceptions submitted from Service Portal or Employee Service Center should go through Verification Approvals when Verification Rule is configured.The Requester should be able to extend Policy Exception more than once based on a configuration property.FixedLocalization issues.Incorrect due date on Policy Acknowledgements.Manually Retired controls are moved to Draft state when the Policy is published.States in which Controls are considered to be Active.On Impacted Controls for Policy Exceptions: Add/Add all buttons are not coming up.On Controls, Open Issues are not updated when a new issue is created.Policy Exception is created even though Valid from and Valid to dates are the same.GRC Business user is able to move the policy exception to Analyze state even though verification approvals are configured.Description of auto-created Policy exception created from PACE exception is truncated.The Retire button should not be present on the KB article related to Policy.
I found an issue with you might not be aware but since most of the implementations are multi-language (i18n) I would like to highlight this topic to save time for the next one.
The ServiceNow platform supports multiple languages, using UTF-8 for international characters. Language support is available when at least one language plugin has been activated, as described in Activate a language.
According to ServiceNow,
“When a user logs in, the language for the instance session is determined by the following logic:
If the language selection at login is enabled, that language is used.
If not, the language preference selected using the language picker in the header bar is used.
If not, the language setting in the User [sys_user] table is used.
If none of the above are true, the system default language is used.
Some areas of the system are not translated, including journal fields, report titles, and any field that stores free-form text. These fields remain in the language used to create them. When creating a custom field, you must add the labels in the Field Label table because they are not added automatically.”
But.. the translation is not as black and white as it is being presented.
I found that the Risk Criteria field (out of the box its a translated field) lost his sorting capability on a list view or on a list report when we have more than one language set on the system. By checking the dictionary entry, I was able to check only the English label has been created for the field and said so, you are only able to sort the column if your user language is in English.
As you can notice, the order of the records is not affected when I try to sort the column by ASC or DESC:
To solve the issue,
Go to System Localization > Translated Name/Fields.
Create an entry for each Risk Criteria (sn_risk_criteria) available according to your language.
Voila, problem solved – try to use the sorting again, now you should be able to sort your columns.
I was trying to search for comments or posts around this plugin upgrade version (11.0.3) but it seems it did slipper somehow.
ServiceNow introduced the new role “GRC Business User” in the latest release (11.0.3) and added to all users in the system. Yes, there is no way to stop that to happen (I raised a hi ticket) but there is a KB article that explains the reason behind this change and helps you to rollback this change in case: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0864247
GRC Business Users
The Governance, Risk, and Compliance (GRC) product line requires action from many users who do not have a traditional product role, such as Compliance Reader or Risk Reader. Even the reader roles allow access to the product module, dashboard, reports, and read-only table access.
To improve the internal security of the product, we created a dedicated GRC Business User role. This role should be assigned to users who require access only to GRC applications in the context of performing tasks assigned to them; for example, a business user who needs to respond to an attestation or risk assessment. Users with the GRC Business User role are provided limited access to data and to information relevant to the tasks assigned to them.
The number of users assigned to the GRC Business User role does not impact product licensing. Product licensing is based on the number of users that perform GRC operations as opposed to the number of users with a role that allows access to GRC operations.
Important note: To keep the product behavior consistent on upgrade, we initially assign the GRC Business User role to all users in the sys_user table by adding them to the GRC Business Users group. We do this to match the previous product behavior that tasks such as attestations can be assigned to any internal employee. You can remove users from the GRC Business User role to restrict access for specific users.
I have improved ootb script to be more defensive and used an on demand schedule job to avoid to get the process hang during execution. That way the process would not be associated to an UI session and would run in the background without interruptions.
Please use below script to delete all users from GRC Business Users group :
Steps:
1. Create a fix script called “Remove GRC Business User to all users” Application: GRC: Profile Script:
var rec = new GlideRecord('sysauto_script');
rec.get('name', 'remove_users_to_grc_business_group');
gs.executeNow(rec);
2. Create a Scheduled Execution Job (sysauto_script) called “remove_users_to_grc_business_group“
Application: GRC: Profile
Run as: Administrator
Run: On Demand
Script:
var grGroup = new GlideRecord('sys_user_group');
if (grGroup.get('053cd11a5bda50106d8012300a81c721')) // ensure the group exists and we do not skip the addQuery condition
{
var grMember = new GlideRecord('sys_user_grmember');
grMember.addQuery('group', '053cd11a5bda50106d8012300a81c721');
grMember.query();
gs.info("KB0864247 - There are " + grMember.getRowCount() + " members of the GRC Business Users group");
while(grMember.next())
{
gs.info("KB0864247 - We are deleting user: " + grMember.user.getDisplayValue() + " - from the group: " + grMember.group.getDisplayValue());
grMember.deleteRecord();
}
}
3. Execute the fix script.
If you have any questions, please let me know! Happy GRCommanding
I had few incidents in the past when entities get inactivated by mistake so I decided to leverage our entity management and improve UX to allow them (managers) to receive a popup message before they proceed with inactivation of an entity
Steps:
Mark “Active” as read-only at dictionary level.
Change your scope to “GRC: Profile”.
Go to Profile [sn_grc_profile] and create a UI action called “Mark as inactive” with the following conditions:
Name: Mark as inactive Action name: entity_retire Form button: true Show insert: true Show update: true Form style: destructive List style: destructive Client: true
Onclick: confirmAndRetireEntity() Condition: gs.getUser().hasRole(‘sn_grc.manager’) && current.active == true Script: function confirmAndRetireEntity() { var gwt = new GwtMessage(); var title = gwt.getMessage('When a entity is retired, all related risks and controls are retired. Are you sure you want to continue?'); var modal = new GlideModal("sn_grc_retire_popup", false, 600, 450); modal.setTitle(gwt.getMessage('Confirmation')); modal.setPreference('sysparm_title', title); modal.setPreference('sysparm_sysid', g_form.getUniqueValue()); modal.setBackdropStatic(true); modal.setPreference('focusTrap', true); modal.setPreference('action_name', 'entity_retire'); modal.render(); return false; } if (typeof window == 'undefined') updateStatus(); function updateStatus() { current.setValue('active', 'false'); current.update(); action.setRedirectURL(current); }
Result:
Note:
1. This pop up can be widely used (its generic) but it was originally created for Policies.
2. You need to create another button called “Mark as active” to perform the opposite behavior of this UI action. I gave “entity_enroll” as action name, change condition to run only on inactive records, change function name “confirmAndEnrollEntity()”, change line to “current.setValue(‘active’,’true’)” and thats it.
"Being a Jedi is not just about power, or lightsabers, or even skill with the Force. It is about connection. Being part of something bigger. I am stronger as part of the Jedi Order than I could ever be alone."
