A computing system may include a database disposed within a computational instance of a remote network management platform that manages a managed network. Additionally, the computing system may include server device(s) disposed within the computational instance. The server device(s) may be configured to: compare, in order of priorities of assignment rules, a particular configuration item to the assignment rules until a matching condition is found, where the comparison includes consideration of one or more of: (i) particular item attributes of the particular configuration item or (ii) particular vulnerability attributes that apply to the particular configuration item; determine a particular remediator identifier related to the matching condition; based on a key and the particular remediator identifier, determine a particular group for the particular configuration item according to grouping rules; and store, in the database, a reference to the particular configuration item in the particular group.