Quebec Archives

Hello all,

I was trying to search for comments or posts around this plugin upgrade version (11.0.3) but it seems it did slipper somehow.

ServiceNow introduced the new role “GRC Business User” in the latest release (11.0.3) and added to all users in the system. Yes, there is no way to stop that to happen (I raised a hi ticket) but there is a KB article that explains the reason behind this change and helps you to rollback this change in case: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0864247

GRC Business Users

The Governance, Risk, and Compliance (GRC) product line requires action from many users who do not have a traditional product role, such as Compliance Reader or Risk Reader. Even the reader roles allow access to the product module, dashboard, reports, and read-only table access.

To improve the internal security of the product, we created a dedicated GRC Business User role. This role should be assigned to users who require access only to GRC applications in the context of performing tasks assigned to them; for example, a business user who needs to respond to an attestation or risk assessment. Users with the GRC Business User role are provided limited access to data and to information relevant to the tasks assigned to them.

The number of users assigned to the GRC Business User role does not impact product licensing. Product licensing is based on the number of users that perform GRC operations as opposed to the number of users with a role that allows access to GRC operations.

Important note: To keep the product behavior consistent on upgrade, we initially assign the GRC Business User role to all users in the sys_user table by adding them to the GRC Business Users group. We do this to match the previous product behavior that tasks such as attestations can be assigned to any internal employee. You can remove users from the GRC Business User role to restrict access for specific users.

I have improved ootb script to be more defensive and used an on demand schedule job to avoid to get the process hang during execution. That way the process would not be associated to an UI session and would run in the background without interruptions.

Please use below script to delete all users from GRC Business Users group :

Steps:

1. Create a fix script called “Remove GRC Business User to all users”
Application: GRC: Profile
Script:

var rec = new GlideRecord('sysauto_script');
rec.get('name', 'remove_users_to_grc_business_group');
gs.executeNow(rec);

2. Create a Scheduled Execution Job (sysauto_script) called “remove_users_to_grc_business_group“

Application: GRC: Profile

Run as: Administrator

Run: On Demand

Script:

var grGroup = new GlideRecord('sys_user_group');
if (grGroup.get('053cd11a5bda50106d8012300a81c721')) // ensure the group exists and we do not skip the addQuery condition
{
	var grMember = new GlideRecord('sys_user_grmember');
	grMember.addQuery('group', '053cd11a5bda50106d8012300a81c721');
	grMember.query();
	gs.info("KB0864247 - There are " + grMember.getRowCount() + " members of the GRC Business Users group");
	while(grMember.next())
	{
		gs.info("KB0864247 - We are deleting user: " + grMember.user.getDisplayValue() + " - from the group: " + grMember.group.getDisplayValue());
		grMember.deleteRecord();
	}
}

3. Execute the fix script.

If you have any questions, please let me know! Happy GRCommanding

Hi all,

I had few incidents in the past when entities get inactivated by mistake so I decided to leverage our entity management and improve UX to allow them (managers) to receive a popup message before they proceed with inactivation of an entity

Steps:

Mark “Active” as read-only at dictionary level.
Change your scope to “GRC: Profile”.
Go to Profile [sn_grc_profile] and create a UI action called “Mark as inactive” with the following conditions:

Name: Mark as inactive
Action name: entity_retire
Form button: true
Show insert: true
Show update: true
Form style: destructive
List style: destructive
Client: true

Onclick: confirmAndRetireEntity()
Condition: gs.getUser().hasRole(‘sn_grc.manager’) && current.active == true
Script:
function confirmAndRetireEntity() { var gwt = new GwtMessage(); var title = gwt.getMessage('When a entity is retired, all related risks and controls are retired. Are you sure you want to continue?'); var modal = new GlideModal("sn_grc_retire_popup", false, 600, 450); modal.setTitle(gwt.getMessage('Confirmation')); modal.setPreference('sysparm_title', title); modal.setPreference('sysparm_sysid', g_form.getUniqueValue()); modal.setBackdropStatic(true); modal.setPreference('focusTrap', true); modal.setPreference('action_name', 'entity_retire'); modal.render(); return false; } if (typeof window == 'undefined') updateStatus(); function updateStatus() { current.setValue('active', 'false'); current.update(); action.setRedirectURL(current); }

Result:

Note:

1. This pop up can be widely used (its generic) but it was originally created for Policies.

2. You need to create another button called “Mark as active” to perform the opposite behavior of this UI action. I gave “entity_enroll” as action name, change condition to run only on inactive records, change function name “confirmAndEnrollEntity()”, change line to “current.setValue(‘active’,’true’)” and thats it.

ServiceNow technical content and knowledge for everyone

Quebec

Read before upgrading your plugins to version 11.0.3 – “GRC Business Users” 0 (0)

Prevent Entities to get inactivate by mistake 0 (0)

"Being a Jedi is not just about power, or lightsabers, or even skill with the Force. It is about connection. Being part of something bigger. I am stronger as part of the Jedi Order than I could ever be alone."