Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Overview


Role-based permissions are settings within ZenGRC that control what users can see and do. 

These permissions are established using pre-defined roles which define what users see and the types of actions they perform.

Permission Types


There are four types of permissions in ZenGRC:

  • Global permissions - These apply to ZenGRC as a whole, not individual programs or objects. These permissions, for example, impact whether users can see other users and dashboards by default. 
  • Program permissions - Permissions that apply to a specific program created in ZenGRC, for example a SOC2 Program.
  • Audit Permissions - Permissions established when creating an audit, or inherited from a related program.
  • Object specific permissions -  Access granted by virtue of association with a program, audit, task, or mapped object.
  • Risk access control - Permissions applied to ZenGRC risk objects that include risks, threats, vulnerabilities, and incidents.

IMPORTANT

Permissions in ZenGRC are granted rather than limited. This means that permissions for a user should be set at the most restrictive level needed at the global level, with rights expanded at the program and object levels. In no case may program or object level permissions be more restrictive than what is configured for a user at the global level.

Setting Global Permissions


In order to limit access to a given program or object, start by setting the user global role to Contributor then grant explicit access to the user in the program, audit, or object.

Roles and Access

Default Global Permissions
for Programs, Audits & Objects

ZenGRC Role
AdministratorEditorReaderContributorNo Access
Log In(tick)(tick)(tick)(tick)(error)
View/Read(tick)(tick)(tick) (warning) 1(error)
Comment(tick)(tick)(tick) (warning) 1(error)
Update(tick)(tick)(error) (warning) 1(error)
Delete(tick)(tick)(error) (error) 2(error)
View
Dashboards
(tick)(tick)(tick)(error)(error)
Manage Global
Access
(tick)(error)(error)(error)(error)
Create Programs(tick)(error)(error)(error)(error)

1 A contributor can view/edit/comment objects they have created or on which they are assigned.
2 From May 2019, Contributors cannot delete any object.

Program Permissions

The following roles may be established for users at the program level:

  • Manager - The program manager is the administrator of the program.
  • Editor - Users may create and update all objects within a program.
  • Reader - Users may view/read but may not update objects.
Setting Program Permissions
  • The Program Manager is assigned during creation of the program
  • Program Roles may be assigned by navigating to Programs, select the program you wish to modify, then editing the Roles for the program.

Audit Permissions

  • By default, audit permissions inherit the permissions of an associated program. If no program is associated, Global permissions and explicitly defined permissions apply.
  • When creating an object, an audit Manager may be assigned. Once saved, a program auditor may be defined. 
  • During the course of an audit, as tasks are created and assigned, Surveys are sent, and objects are mapped, users may gain access to some or all parts of the audit depending on their Global Role and the types of objects mapped. 
    • When assigning a user to an object, they will acquire Write access to that object, and Read access to all first-level mapped objects (ie, all objects, programs, etc.) which are directly mapped to that object.

Object Specific Permissions

  • ZenGRC creates mapped objects which may include users, programs, audits, tasks, and more.
  • These permissions by default inherit the permissions of the context within which they are created, however mapping an object via assigning a role, task, etc. may expand the permissions of that object.
  • During the course of ZenGRC use, as tasks are created and assigned, Surveys are sent, and objects are mapped, etc., users may gain access to other programs, audits, and objects depending on their Global Role and the types of objects mapped. 
    • When assigning a user to an object, they will acquire Write access to that object, and Read access to all first-level mapped objects (ie, all objects, programs, etc.) which are directly mapped to that object.

Risk Access Control

Permissions surrounding objects used to evaluate risk have their own access control. Please see the documentation at Role-Based Permissions for Risk.


  • No labels