Versions Compared

Old Version 1

changes.mady.by.user Tristan Mohn

Saved on

compared with

New Version Current

changes.mady.by.user Victoria Buhler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed assignable to action


Page Contents

Table of Contents
indent17px

Overview

Permissions surrounding ZenGRC objects used to evaluate risk now have their own access control. This is an important security step to limit visibility of your organization's sensitive information.

The risk management objects that are involved with this change , include the following:

  • Risks
  • Threats
  • Vulnerabilities
  • Incidents

Risk Access Control

Only those listed in the Owner fields of the above risk objects can see the items, as well as anyone in an Administrator role.

The following outlines permissions for other items in ZenGRC:

  • Programs - If risk management items are mapped to a program, they are not visible to users assigned to fields in that program, unless those users are administrators.
  • Audits - For audit-specific roles, those assigned to the Audit Manager and Auditor fields are not able to see any risk group items mapped to that audit.
  • Tasks, Requests, Assessments - If an assignable action item (i.e. task, request, assessment) has a mapped risk, users assigned to that item can see the risk.

In addition, the following are areas in ZenGRC where access is restricted:

  • System of Record for Risks, Threats, Vulnerabilities, Incidents - These links are visible; however, only those with administrative access or who are listed as object owners can see individual items.
  • Risk Heatmap - This link is not available to editors and readers, even if they are object owners on a risk management item.
  • Compliance Dashboard,  - Certain areas of this dashboard are locked down. The section called High risk entities Risk Entities and the mini Risk Heatmap are not visible to editors and readers, even if they are object owners on a risk management item.

Risk Object Workflow Considerations

  • If an existing user needs access to the Risk Heatmap, the best option is to update their ZenGRC role to administrator.
  • If an existing user needs access to any of the risk management objects, either add them to the Owner field of individual risk objects or change their ZenGRC role to administrator to see all objects.
  • Remember that users assigned to tasks, requests and assessments can see any associated risks that are mapped to their assigned items.



Include Page
di:RH Navigation
di:RH Navigation