Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Overview


Role-based permissions are settings within ZenGRC that control what users can see and do. 

These permissions are established using pre-defined roles which define what users see and the types of actions they perform.

Permission Types


There are four types of permissions in ZenGRC:

  • Global permissions - These apply to ZenGRC as a whole, not individual programs or objects. These permissions, for example, impact whether users can see other users and dashboards by default. 
  • Program permissions - Permissions that apply to a specific program created in ZenGRC, for example a SOC2 Program.
  • Audit Permissions - Permissions established when creating an audit, or inherited from a related program.
  • Object specific permissions -  Access granted by virtue of association with a program, audit, task, or mapped object.

IMPORTANT

Permissions in ZenGRC are granted rather than limited. This means that permissions for a user should be set at the most restrictive level needed at the global level, with rights expanded at the program and object levels. In no case may program or object level permissions be more restrictive than what is configured for a user at the global level.

Setting Global Permissions


In order to limit access to a given program or object, start by setting the user global role to Contributor then grant explicit access to the user in the program, audit, or object.

Roles and Access


Role

Default Global Permissions for Programs, Audits & Objects
Log InView/ReadCommentUpdateDeleteView DashboardsManage
Global Access
Administrator(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Editor(tick)(tick)(tick)(tick)(tick)(tick)(error)
Reader(tick)(tick)(tick)(error)(error)(tick)(error)
Contributor(tick)(error) 1 (error) 1 (error) 1 (error)(error)(error)
No Access(error)(error)(error)(error)(error)(error)(error)

1 Contributor can view/edit/comment objects they have created or on which they are assigned.

Program Permissions

The following roles may be established for users at the program level:

  • Manager - The program manager is the administrator of the program.
  • Editor - Users may create and update all objects within a program.
  • Reader - Users may view/read but may not update objects without explicit (assigned) access.
  • No Access - Users may not see any aspect of a program. Only users with global role of No Access or Contributor may be set to No Access at the program level.
Setting Program Permissions
  • The Program Manager is assigned during creation of the program
  • Program Roles may be assigned by navigating to Programs, selecting the program you wish to modify, then editing the Roles for the program.

IMPORTANT

Permission changes may take up to an hour to propagate thru the application. When making a change, please allow up to an hour to see it reflected in a user's access.

How may I limit a User's access to a Program?

Users who have Contributor global access may be set to have No Access in the People / Roles section of the program. The Contributor role is currently the only role that allows for restricting access to a program.

Audit Permissions

  • By default, audit permissions inherit the permissions of an associated program. If no program is associated, Global permissions and explicitly defined permissions apply.
  • When creating an object, an audit Manager may be assigned. Once saved, a program auditor may be defined. 
  • During the course of an audit, as tasks are created and assigned, Surveys are sent, and objects are mapped, users may gain access to some or all parts of the audit depending on their Global Role and the types of objects mapped. 
    • When assigning a user to an object, they will acquire Write access to that object, and Read access to all first-level mapped objects (ie, all objects, programs, etc.) which are directly mapped to that object.

Object Specific Permissions

  • ZenGRC creates mapped objects which may include users, programs, audits, tasks, and more.
  • These permissions by default inherit the permissions of the context within which they are created, however mapping an object via assigning a role, task, etc. may expand the permissions of that object.
  • During the course of ZenGRC use, as tasks are created and assigned, Surveys are sent, and objects are mapped, etc., users may gain access to other programs, audits, and objects depending on their Global Role and the types of objects mapped. 
    • When assigning a user to an object, they will acquire Write access to that object, and Read access to all first-level mapped objects (ie, all objects, programs, etc.) which are directly mapped to that object
  • No labels