Components installed with Vendor Risk Management

Activating the GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) plugin adds or modifies several tables, user roles, and other components.

Note:

Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. The snc_internal and snc_external roles are installed, enabling the administrator to give internal and external users access to your instance. When vendor contacts are created, they are automatically assigned the snc_external role, giving them access to resources related to the vendor portal.

Vendor Risk Management and the Explicit Roles plugin

Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. Administrators assign the snc_internal and snc_external roles to provide internal and external users access to the instance. When vendor contacts are created, they are automatically assigned the snc_external role, giving them access to resources related to the vendor portal.

Various tables provide role-based access to record by setting the Roles field. If the Roles field is empty, then all users have access to that record. For example, if the Roles field for a Service Catalog item has an empty Roles field, then all users have access to that Service Catalog item.

However, when the Explicit Roles plugin is installed, the Roles field is updated to snc_internal. Additionally, all users are given the snc_internal role. Continuing with the previous example:
  • before installing the Explicit Roles plugin, if a Service Catalog item had an empty Roles field, it was accessible to every user.
  • after installing the Explicit roles plugin, that Service Catalog item’s Roles field is updated to snc_internal and all existing users are given the snc_internal role, making the catalog item is accessible to those users.
  • After that, when new users are created, they must have the snc_internal role, or they will not have access to that Service Catalog item.
Table Changes
Access Control

[sys_security_acl]

For all existing and newly created ACLs without a role requirement, the snc_internal role is assigned.
Catalog item

[sc_cat_item]

For all records where the Roles field is empty, the snc_internal role is added. If the glide.sc.use_user_criteria property is set to false, newly created catalog items are automatically assigned the snc_internal role. If the property is set to true, the SNC External user criteria is added to all newly created catalog items, excluding external users from viewing the record.
Page

[content_page]

For sites that have a login page, where the Read roles field is empty, the snc_internal role is added. For sites that have no login page or that have automatically created content pages, the public role is added.
Overview Help Panel [sys_ui_overview_help_panel] For all records where the Roles field is empty, the snc_internal role is added. Newly created overview panels with an empty Roles field are also assigned the snc_internal role.
Navigation Menu [sys_app_application] For all records where the Roles field is empty, the snc_internal role is added. Newly created navigation menus with an empty Roles field are also automatically assigned the snc_internal role.
Report [sys_report]

For all records where the Roles field is empty, snc_internal is added. Newly created reports that have an empty Roles field when sharing are also automatically assigned the snc_internal role.

Portal Page [sys_portal_page] For all records where the Read roles field is empty, the snc_internal role is added. Newly created portal pages with an empty Read roles field are also automatically assigned the snc_internal role.
Processor [sys_processor]

For all records where the Roles field is empty, the snc_internal role is added. Newly created processors with an empty Roles field are also automatically assigned the snc_internal role.

Roles installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following roles.
Role title [name] Description Contains roles
Vendor risk assessor

[sn_vdr_risk_asmt.vendor_assessor]

Manages vendors, manages vendor contacts, manages vendor risk assessments and issues, and completes vendor risk assessment requests.
  • sn_vdr_risk_asmt.vendor_assessment_reviewer
  • vendor_editor
  • vendor_reader
  • compliance reader
Vendor risk manager

[sn_vdr_risk_asmt.vendor_risk_manager]

Manages vendors, manages vendor contacts, manages vendor assessment templates, manages questionnaire templates, manages documentation request templates, and manages scheduled assessments.
  • assessment_admin
  • sn_vdr_risk_asmt.vendor_assessment_reviewer
  • sn_vdr_risk_asmt.vendor_assessor
vendor_assessment_reviewer

[sn_vdr_risk_asmt.vendor_assessment_reviewer]

  • sn_compliance.reader
  • sn_risk.reader
  • vendor reader
  • task editor
Vendor contact

[vendor_contact]

Answers questionnaires regarding risk. Primary contacts can also manage other contacts for the vendor.
  • snc_external

Tables Installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following tables.

Table Description
Assessment Template to Document Request Template

[sn_vdr_risk_asmt_m2m_asmt_template_doc_req_template]

Assessment Template

[sn_vdr_risk_asmt_template]

Assessment Template to Questionnaire Template

[sn_vdr_risk_asmt_m2m_asmt_template_questionnaire_template]

Associated Questionnaire

[sn_vdr_risk_asmt_doc_assessment]

Business Service Rating Scale

[sn_vdr_risk_asmt_bs_weight_config]

Business Service to Vendor

[sn_vdr_risk_asmt_m2m_vendor_service]

Document Request

[sn_audit_interview]

Questionnaire

[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]

Repeating Assessment

[sn_vdr_risk_asmt_repeating_assessment]

Risk Rating Scale

[sn_vdr_risk_asmt_score_mapping]

Take Assessment Link

[sn_vdr_risk_asmt_take_link]

Vendor Assessment to Questionnaire

[sn_vdr_risk_asmt_m2m_assessment_instance]

Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Vendor Risk Task

[sn_vdr_risk_asmt_task]

Note: All additional tables installed by the dependent plugins are also needed for GRC: Vendor Risk Management.

Properties installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following properties.

Name Description

sn_vdr_risk_asmt.company.name

  • Type: string
  • Default value: ServiceNow

sn_vdr_risk_asmt.glide.script.block.client.globals

  • Type: true | false
  • Default value: false

Client scripts installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following client scripts.
Client script Table Description
Check if assessment varies from template Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Check questionnare duration Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Check questionnare duration on duration Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Clear fields on vendor change Vendor Risk Task

[sn_vdr_risk_asmt_task]

Configure state choice list Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Copy information from template Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Hide View Response link if no responses Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Populate default metric types Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Remove assessment when vendor is changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Reset contacts on vendor update Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Set assigned to on load Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set assignee to be current login user Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Set fields when assessment changes Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set fields when issue changes Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set name when vendor is set Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Set vendor when assessment changes Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

State read only for new assessments Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Validate questionnare due date Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Script includes installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following script includes.

Script include Description
VendorResponse
VendorResponseBase
VendorRiskAsmtAjax
VendorRiskAssessment
VendorRiskAssessmentBase
VendorRiskAssessmentStrategy
VendorRiskAssessmentStrategyBase
VendorRiskFilters
VendorRiskFiltersBase
VendorRiskOwnerUtils
VendorRiskOwnerUtilsBase
VendorRiskRepeatingAsmt
VendorRiskRepeatingAsmtBase
VendorRiskScoring
VendorRiskScoringBase

Business rules installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following business rules.

Business rule Tables Description
Add additional assignee for VRM Assessment Instance

[asmt_assessment_instance]

Add owner to vendor Business Service to Vendor

[sn_vdr_risk_asmt_m2m_vendor_service]

Calculate assessment risk score Assessment Instance

[asmt_assessment_instance]

Calculate document request risk rating Assessment Instance

[asmt_assessment_instance]

Calculate risk quantitative store Assessment Category Result

[asmt_category_result]

Calculate risk rating Assessment Category Result

[asmt_category_result]

Cancel assessment Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Cancel document request Document request

[sn_vdr_risk_asmt_m2m_asmt_doc_request]

Cancel questionnaires Questionnaire

[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]

Cancel questionnaires if assessment dele Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Check contact exists when set visible
  • Vendor Risk Issue [sn_vdr_risk_asmt_issue]
  • Vendor Risk Task [sn_vdr_risk_asmt_task]
Configure state scratchpad Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Copy template and doc requests Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Create an assessent on prior closure Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Create default metrics Assessment Metric Type

[asmt_metric_type]

Create missing category results Assessment Instance

[asmt_assessment_instance]

Create or delete score mapping
  • Assessment Instance [asmt_assessment_instance]
  • Assessment Metric Type [asmt_metric_type]
Create vendor risk assessment Repeating Assessment

[sn_vdr_risk_asmt_repeating_assessment]

Delete take links on delete Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Delete take links on update Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

l
Enforce valid state changes Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Enforce vendor when submitting issue Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Enforce vendor when submitting task Vendor Risk Task

[sn_vdr_risk_asmt_task]

Evaluate controls Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

File role for Vendor Risk Assessments Assessment Metric Type

[asmt_metric_type]

Issue assignee changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Issue contract changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Issue task changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Prevent adding both SIG types
  • Questionnaire [sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]
  • Assessment template to Questionnaire template [sn_vdr_risk_asmt_m2m_asmt_template_questionnaire_template]
Prevent closure if has open tasks Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Prevent duplicate Business critiality Business Service Rating Scale

[sn_vdr_risk_asmt_bs_weight_config]

Questionnaire due date changed Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Remove business owner on vendor Business Service

[cmdb_ci_service]

Remove owner from vendor Business Service to Vendor

[sn_vdr_risk_asmt_m2m_vendor_service]

Remove user from vendor business owners User

[sys_user]

Restart workflow for due date change Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Review duration changes Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Send single document request Document request

[sn_vdr_risk_asmt_m2m_asmt_doc_request]

Send single questionnaire Questionnaire

[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]

Set 'Visible in vendor portal" flag Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Set actual duration Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Set actual end date Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set actual start date Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Set default risk quantitative score Assessment Category Result

[asmt_category_result]

Set questionnaire due date Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Set the 'visible in vp' flag Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set vendor contact if it is empty
  • Vendor Risk Task [sn_vdr_risk_asmt_task]
  • Vendor Risk Issue [sn_vdr_risk_asmt_issue]
Set vendor if parent is empty (display) Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Set vendor values from related record Vendor Risk Task

[sn_vdr_risk_asmt_task]

Submit to vendor Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Sync planned duration field Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Task assignee changed Vendor Risk Task

[sn_vdr_risk_asmt_task]

Update business owner on vendor Business Service

[cmdb_ci_service]

Update instance and category risk rating Risk Rating Scale

[sn_vdr_risk_asmt_score_mapping]

Update percent complete Vendor Assessment to Questionnaire

[sn_vdr_risk_asmt_m2m_assessment_instance]

Update scale range Risk Rating Scale

[sn_vdr_risk_asmt_score_mapping]

Validate durations Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Validate questionnaire due date Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Vendor finished assessment Assessment Instance

[asmt_assessment_instance]

Vendor Risk Assessment Assigned Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]