Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home New York Security Incident Management Security Operations Vulnerability Response Understanding the Vulnerability Response application Vulnerability Response personas and granular roles

    Vulnerability Response personas and granular roles

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Vulnerability Response personas and granular roles

    Before you can successfully remediate vulnerabilities with the Vulnerability Response application, you must assign personas and roles to your users and groups in Setup Assistant.

    One of the first configuration steps required for the Vulnerability Response application is to assign roles to users and groups. Roles define what users and groups can see and do in Vulnerability Response, Performance Analytics for Vulnerability Response, and all third party integrations with Vulnerability Response.

    If you have already assigned roles using Setup Assistant and you want to manage granular role assignments for all users and groups from the User Administration module, see Manage persona and granular roles for Vulnerability Response.
    Note: If you are an upgrade customer, access for the users and groups you assigned with the sn_vul.vulnerability_read and sn_vul.vulnerability_write permissions prior to v10.3 has not changed. Users and groups remain assigned with these roles until you change them. However, starting with v10.3, you may prefer assigning granular roles for more control over what users can do and see in the Vulnerability Response application.

    Persona roles and granular roles starting with v10.3

    Key terms

    Role
    Roles define what users and groups can see and do in the Vulnerability Response application.
    Group
    A set of users who share certain roles and a common purpose.
    Persona role
    A pre-configured role in the application that is made up of multiple granular roles. The persona roles in Setup Assistant, Vulnerability Admin, Vulnerability Analyst, Remediation Owner, Configuration Item Manager, and Exception Manager, are designed to correspond to common job titles for managers, analysts, and service owners in an IT organization or vulnerability remediation group.
    Inherited roles
    A term that describes roles that users automatically acquire when they are assigned other roles. For example, any users or groups assigned with the sn_vul.remediation_owner persona role also inherit the sn_vul.read_assigned,sn_vul.write_assigned granular roles.
    Access control list (ACL)
    Access control lists restrict access to data by requiring users to pass a set of requirements before they can interact with it.

    Persona roles in Setup Assistant starting with v10.3

    Starting with v10.3, you assign groups and users to persona roles in Setup Assistant.
    Note: In Setup Assistant, the system admin role (admin) is required for the tasks in the first section, assigning roles and installing integrations. After you assign persona roles in Setup Assistant and install integrations, you may prefer to assign a user or group with the sn_vul.vulnerability_admin role to finish any remaining tasks in Setup Assistant and to manage the Vulnerability Response application.

    The following table lists Vulnerability Response roles prior to v10.3 and compares them to the persona roles installed with the application starting with v10.3.

    Prior to v10.3. Starting with v10.3
    If you assigned sn_vul.admin You may prefer to assign sn_vul.vulnerability_admin - Vulnerability Admin to users or groups.

    Users with this role have complete access to the Vulnerability Response (VR) application and its records. Users with this role configure all VR applications and rules and install third party integrations.

    If you assigned sn_vulnerability_write for users and groups. You may prefer to assign sn_vul.vulnerability_analyst - Vulnerability Analyst to users and groups.

    Users and groups with this role view and update all records for VI remediation.

    If you assigned sn_vul.remediation_owner You may prefer to assign sn_vul.remediation_owner - Remediation Owner to users and groups.

    Users and groups with this role remediate vulnerabilities assigned to them or to a group they belong to. Groups or users with this role view and update the records assigned to them or to a group they belong to.

    If you assigned sn_vul.admin for management of unmatched configuration items (CI)s You may prefer to assign sn_vul.ci- CI Manager to users and groups.

    Users and groups with this role manage unmatched configuration items (CIs) not found in the Configuration Management Database (CMDB). Groups or users with this role update discovered items.

    If you assigned sn_vul.admin for deferrals and exception approvals. You may prefer to assign sn_vul.exception_approver - Exception Approver to users and groups.

    Users and groups with this role approve exceptions, deferrals, and closures of vulnerability groups and vulnerable items.

    If you assigned sn_vul.vulnerability_read to provide visibility into vulnerability management. You may prefer to assign read access to specific areas in the application by task.

    For example, assign sn_vul.read_all so a user can view all VR records. For read access to view vulnerability group rules, assign sn_vul.read_group_rules. Users and groups with this role do not update records.

    Granular roles and persona roles

    One way to think about persona roles is to consider how their descriptions may relate to job descriptions for various IT or vulnerability remediation positions in your organization. The following figure illustrates a possible job description for a remediation specialist in IT, and how the tasks associated with this job relate to the tasks of a remediation owner persona role in the Vulnerability Response application.

    Figure 1. Job descriptions and a persona role
    Jobs in company compared to personas in Vulnerability Response

    Both the job description and the remediation owner persona role could be defined as a series of remediation tasks. In the preceding image, a job description and a persona role in green blocks sit atop the tasks that describe them. In this example, some of the typical job requirements for a specialist in a remediation group correspond directly to the tasks that make up the remediation owner persona in Vulnerability Response: Review and update records, track the remediation status of vulnerabilities, prioritize items for remediation, and apply fixes and patches with IT.

    Sometimes, however, the jobs in your organization may not directly correspond to the tasks that make up one of the five persona roles in the Vulnerability Response application. For various reasons, such as protecting sensitive data, or complying with regulations, you must limit the broad access some of the persona roles provide to your users and groups. Or, conversely, you are required to provide users and groups with more access so they can perform their jobs. Using granular roles, you can easily customize roles and control the access users and groups have to Vulnerability Response, Performance Analytics for Vulnerability Response, and third party integrations.

    The granular roles define the tasks

    The names for the granular roles in Vulnerability Response usually describe what users can do and see in the Vulnerability Response application. For example, in the previous image, users and groups with the Remediation owner persona assigned have the sn_vul.read_assigned and sn_vul.write_assigned granular roles. These granular roles permit users or groups to view and update vulnerable items and vulnerability group records that are assigned to them. To view descriptions of specific granular roles, as a user with the system admin role, navigate to User Administration > Roles and locate the role that you want. Roles that are automatically inherited when a role is assigned are listed. Also, when a role depends on other role assignments, any required roles are also listed.

    In the following image, the granular roles of both the remediation owner persona role and the vulnerability analyst persona are illustrated. Note that the remediation owner persona does not include the read_all and write_all permissions of the vulnerability analyst persona. The granular roles, read_all and write_all, are required before users and groups can read and edit all of the vulnerable item and vulnerability group records. To customize these roles, simply add or remove granular roles to expand or limit access.

    Figure 2. Granular roles and the remediation owner and vulnerability analyst personas
    Personas

    If you want your users and groups to have more access than the persona roles permit, you can add more granular roles to users and groups. Conversely, if you want to limit access for specific users and groups at the task level, you can remove granular roles.

    Note: To assign and edit granular roles in the User Administration module, the system admin role is required.

    Granular roles in the User Administration module

    For an example of how to manage granular roles for a user or group, see Manage persona and granular roles for Vulnerability Response.

    To assign persona roles, see Assign the Vulnerability Response persona roles using Setup Assistant.

    Related concepts
    • Vulnerability Response assignment rules overview
    • Vulnerability Response groups and group rules overview
    • Vulnerability groups and group rules overview (Prior to v10.0)
    • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
    • Discovered Items
    • Vulnerability Response group and vulnerable item states
    • Vulnerability Response calculators and vulnerability calculator rules
    • Vulnerability Response vulnerable item detections from third-party integrations
    • Vulnerability Response remediation target rules
    • Vulnerability Solution Management
    • Introduction to Exception Management
    • Introduction to False Positive
    • Change management for Vulnerability Response
    • Software exposure assessment using Software Asset Management (SAM)
    • Domain separation and Vulnerability Response

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Vulnerability Response personas and granular roles

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Vulnerability Response personas and granular roles

      Before you can successfully remediate vulnerabilities with the Vulnerability Response application, you must assign personas and roles to your users and groups in Setup Assistant.

      One of the first configuration steps required for the Vulnerability Response application is to assign roles to users and groups. Roles define what users and groups can see and do in Vulnerability Response, Performance Analytics for Vulnerability Response, and all third party integrations with Vulnerability Response.

      If you have already assigned roles using Setup Assistant and you want to manage granular role assignments for all users and groups from the User Administration module, see Manage persona and granular roles for Vulnerability Response.
      Note: If you are an upgrade customer, access for the users and groups you assigned with the sn_vul.vulnerability_read and sn_vul.vulnerability_write permissions prior to v10.3 has not changed. Users and groups remain assigned with these roles until you change them. However, starting with v10.3, you may prefer assigning granular roles for more control over what users can do and see in the Vulnerability Response application.

      Persona roles and granular roles starting with v10.3

      Key terms

      Role
      Roles define what users and groups can see and do in the Vulnerability Response application.
      Group
      A set of users who share certain roles and a common purpose.
      Persona role
      A pre-configured role in the application that is made up of multiple granular roles. The persona roles in Setup Assistant, Vulnerability Admin, Vulnerability Analyst, Remediation Owner, Configuration Item Manager, and Exception Manager, are designed to correspond to common job titles for managers, analysts, and service owners in an IT organization or vulnerability remediation group.
      Inherited roles
      A term that describes roles that users automatically acquire when they are assigned other roles. For example, any users or groups assigned with the sn_vul.remediation_owner persona role also inherit the sn_vul.read_assigned,sn_vul.write_assigned granular roles.
      Access control list (ACL)
      Access control lists restrict access to data by requiring users to pass a set of requirements before they can interact with it.

      Persona roles in Setup Assistant starting with v10.3

      Starting with v10.3, you assign groups and users to persona roles in Setup Assistant.
      Note: In Setup Assistant, the system admin role (admin) is required for the tasks in the first section, assigning roles and installing integrations. After you assign persona roles in Setup Assistant and install integrations, you may prefer to assign a user or group with the sn_vul.vulnerability_admin role to finish any remaining tasks in Setup Assistant and to manage the Vulnerability Response application.

      The following table lists Vulnerability Response roles prior to v10.3 and compares them to the persona roles installed with the application starting with v10.3.

      Prior to v10.3. Starting with v10.3
      If you assigned sn_vul.admin You may prefer to assign sn_vul.vulnerability_admin - Vulnerability Admin to users or groups.

      Users with this role have complete access to the Vulnerability Response (VR) application and its records. Users with this role configure all VR applications and rules and install third party integrations.

      If you assigned sn_vulnerability_write for users and groups. You may prefer to assign sn_vul.vulnerability_analyst - Vulnerability Analyst to users and groups.

      Users and groups with this role view and update all records for VI remediation.

      If you assigned sn_vul.remediation_owner You may prefer to assign sn_vul.remediation_owner - Remediation Owner to users and groups.

      Users and groups with this role remediate vulnerabilities assigned to them or to a group they belong to. Groups or users with this role view and update the records assigned to them or to a group they belong to.

      If you assigned sn_vul.admin for management of unmatched configuration items (CI)s You may prefer to assign sn_vul.ci- CI Manager to users and groups.

      Users and groups with this role manage unmatched configuration items (CIs) not found in the Configuration Management Database (CMDB). Groups or users with this role update discovered items.

      If you assigned sn_vul.admin for deferrals and exception approvals. You may prefer to assign sn_vul.exception_approver - Exception Approver to users and groups.

      Users and groups with this role approve exceptions, deferrals, and closures of vulnerability groups and vulnerable items.

      If you assigned sn_vul.vulnerability_read to provide visibility into vulnerability management. You may prefer to assign read access to specific areas in the application by task.

      For example, assign sn_vul.read_all so a user can view all VR records. For read access to view vulnerability group rules, assign sn_vul.read_group_rules. Users and groups with this role do not update records.

      Granular roles and persona roles

      One way to think about persona roles is to consider how their descriptions may relate to job descriptions for various IT or vulnerability remediation positions in your organization. The following figure illustrates a possible job description for a remediation specialist in IT, and how the tasks associated with this job relate to the tasks of a remediation owner persona role in the Vulnerability Response application.

      Figure 1. Job descriptions and a persona role
      Jobs in company compared to personas in Vulnerability Response

      Both the job description and the remediation owner persona role could be defined as a series of remediation tasks. In the preceding image, a job description and a persona role in green blocks sit atop the tasks that describe them. In this example, some of the typical job requirements for a specialist in a remediation group correspond directly to the tasks that make up the remediation owner persona in Vulnerability Response: Review and update records, track the remediation status of vulnerabilities, prioritize items for remediation, and apply fixes and patches with IT.

      Sometimes, however, the jobs in your organization may not directly correspond to the tasks that make up one of the five persona roles in the Vulnerability Response application. For various reasons, such as protecting sensitive data, or complying with regulations, you must limit the broad access some of the persona roles provide to your users and groups. Or, conversely, you are required to provide users and groups with more access so they can perform their jobs. Using granular roles, you can easily customize roles and control the access users and groups have to Vulnerability Response, Performance Analytics for Vulnerability Response, and third party integrations.

      The granular roles define the tasks

      The names for the granular roles in Vulnerability Response usually describe what users can do and see in the Vulnerability Response application. For example, in the previous image, users and groups with the Remediation owner persona assigned have the sn_vul.read_assigned and sn_vul.write_assigned granular roles. These granular roles permit users or groups to view and update vulnerable items and vulnerability group records that are assigned to them. To view descriptions of specific granular roles, as a user with the system admin role, navigate to User Administration > Roles and locate the role that you want. Roles that are automatically inherited when a role is assigned are listed. Also, when a role depends on other role assignments, any required roles are also listed.

      In the following image, the granular roles of both the remediation owner persona role and the vulnerability analyst persona are illustrated. Note that the remediation owner persona does not include the read_all and write_all permissions of the vulnerability analyst persona. The granular roles, read_all and write_all, are required before users and groups can read and edit all of the vulnerable item and vulnerability group records. To customize these roles, simply add or remove granular roles to expand or limit access.

      Figure 2. Granular roles and the remediation owner and vulnerability analyst personas
      Personas

      If you want your users and groups to have more access than the persona roles permit, you can add more granular roles to users and groups. Conversely, if you want to limit access for specific users and groups at the task level, you can remove granular roles.

      Note: To assign and edit granular roles in the User Administration module, the system admin role is required.

      Granular roles in the User Administration module

      For an example of how to manage granular roles for a user or group, see Manage persona and granular roles for Vulnerability Response.

      To assign persona roles, see Assign the Vulnerability Response persona roles using Setup Assistant.

      Related concepts
      • Vulnerability Response assignment rules overview
      • Vulnerability Response groups and group rules overview
      • Vulnerability groups and group rules overview (Prior to v10.0)
      • CI Lookup Rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
      • Discovered Items
      • Vulnerability Response group and vulnerable item states
      • Vulnerability Response calculators and vulnerability calculator rules
      • Vulnerability Response vulnerable item detections from third-party integrations
      • Vulnerability Response remediation target rules
      • Vulnerability Solution Management
      • Introduction to Exception Management
      • Introduction to False Positive
      • Change management for Vulnerability Response
      • Software exposure assessment using Software Asset Management (SAM)
      • Domain separation and Vulnerability Response

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login