Entities in GRC

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entities in GRC

    In Governance, Risk, and Compliance (GRC), an entity can be a person, process, department, application, or object that requires exposure management. Each entity has defined controls to monitor its status. For example, when implementing a change management process for critical financial systems, these systems can be categorized as individual entities under an entity class named Financial.

    Show full answer Show less

    Key Features

    • Entity Ownership: Each entity has a designated owner, ensuring accountability. For instance, if a configuration audit reveals non-compliance in one server, only that entity is held accountable instead of all systems.
    • Downstream and Upstream Entities: Entities can have child (downstream) or parent (upstream) entities, aiding in hierarchical organization.
    • Automatic Entity Creation: Entities are generated automatically when a source record linked to an entity filter is created. Changes to the source record name can update the entity name if the synchronization option is enabled.
    • Entity Classes: These provide conceptual tagging for entities, allowing for organizational clarity. For instance, office spaces can be tagged under a location entity class.
    • Entity Class Rules: Automatically assign classes to new entities created on a specific table, streamlining organization.
    • Entity Types: Grouping of entities based on filter conditions, streamlining the creation of risks and controls for those entities.
    • Entity Tiers: Establish levels or hierarchies within entity classes to prioritize and monitor critical business items.

    Key Outcomes

    Defining entities within GRC helps customers maintain accountability, streamline risk management, and enhance compliance tracking. By utilizing entity classes, types, and tiers, organizations can efficiently manage and oversee various components of their governance and compliance efforts, ensuring that risks are accurately assessed and controlled.

    In Governance, Risk, and Compliance, an entity can be a person, process, department, application, or object, whose exposure must be managed. These entities have controls that are defined to view the status.

    To understand entities, consider the following example. Assume that you’re a new GRC user and you want to implement a change management process to all your critical financial systems. All the systems can be considered as individual entities. Map all the systems to an entity class called Financial. Have an entity type filter for critical financial systems to determine the systems that are identified as critical.

    The primary benefit of creating entities is that you can maintain accountability because each entity has an owner. To understand this benefit, assume that you want to configure all the servers in a new way. After you finish the configuration, you perform an audit and then discover that only one server failed to comply with the new configuration. If you had not defined all the entities, then the entire audit result would have been deemed as failed. But because you have the entities defined, then only the non-compliant server entity and its identified owner are held accountable instead of all the servers.

    Having defined entities ensures that the entity owners can be identified and that appropriate controls can be applied to those entities. It also helps in tracking the entities that are non-compliant. Any entity that has child entities can be said to have downstream entities. Any entity that has parent entities can be said to have upstream entities.

    When a source record linked to an entity filter is created, an entity is automatically generated in GRC. If the source record name changes after the entity is created, the entity name updates to match the source record name. This behavior is controlled by the Sync Entity name with source record check box. When selected, the Name field becomes read only and stays in synchronization with the source record. Clearing the check box enables you to manually override the entity name.

    After creating entities, you can tag the similar entities by defining the entity class for them individually or you can link them to an existing entity class.

    Entity classes

    Entity classes are used to add a conceptual information about the entity or tag the entity. To understand the concept of entity class, consider the following example. A company has office branches in three cities. The office space is considered as an entity and the entity class for these entities would be the location. You can create an entity class by associating it with an entity tier as shown in the following example.
    Figure 1. Sample configuration for an entity class
    Sample configuration for an entity class.

    Entity class rules

    Entity class rules help to assign classes to the entities at the table level. Any new entity created on the table gets that entity class automatically. Entity classes are used to tag your entities.

    When you create an entity over a specific table, the class associated with that table automatically gets assigned to the entity. You can set a new entity class rule for a table.

    Entity types

    An entity type is a grouping of entities that is based on filtering. Entity types enable you to find and create entities that match a set of filter conditions. Hierarchy can be created within the entity classes.

    Entity types also enable you to create risks and controls for each entity without spending much time. For example, an organization can have multiple departments, such as finance, HR, or IT. All these departments can be considered as entities and can be grouped under the entity type called Departments.

    You can create an entity type by associating it with the core business pillar such as Technologies or Facilities as shown in the following example.
    Figure 2. Sample configuration for an entity type
    Sample configuration for an entity type.

    Entity tiers

    When you create entity tiers, you apply a level or hierarchy to the entity classes. This level applies to all the entities in those entity classes. Entity tiers enable you to select and view the status of the most critical items in the business as shown in the following example.
    Figure 3. List view for an entity tier
    List view for an entity tier.