Page Contents

Overview

Role-based permissions are settings within ZenGRC that control what users can see and do.

These permissions are established using pre-defined roles which define what users see and the types of actions they perform.

Permission Types

There are four types of permissions in ZenGRC:

Global permissions - These apply to ZenGRC as a whole, not individual programs or objects. These permissions, for example, impact whether users can see other users and dashboards by default.
Program permissions - Permissions that apply to a specific program created in ZenGRC, for example a SOC2 Program.
Audit Permissions - Permissions established when creating an audit, or inherited from a related program.
Object specific permissions - Access granted by virtue of association with a program, audit, task, or mapped object.
Risk access control - Permissions applied to ZenGRC risk objects that include risks, threats, vulnerabilities, and incidents.

IMPORTANT

Permissions in ZenGRC are granted rather than limited. This means that permissions for a user should be set at the most restrictive level needed at the global level, with rights expanded at the program and object levels. In no case may program or object level permissions be more restrictive than what is configured for a user at the global level.

Setting Global Permissions

In order to limit access to a given program or object, start by setting the user global role to Contributor then grant explicit access to the user in the program, audit, or object.

Roles and Access

Default Global Permissions for Programs, Audits & Objects	ZenGRC Role
Default Global Permissions for Programs, Audits & Objects	Administrator	Editor	Reader	Contributor	No Access
Log In
View/Read				¹
Comment				¹
Update				¹
Delete				²
View Dashboards
Manage Global Access
Create Programs

¹ A contributor can view/edit/comment objects they have created or on which they are assigned.
² From May 2019, Contributors cannot delete any object.

Program Permissions

The following roles may be established for users at the program level:

Manager - The program manager is the administrator of the program.
Editor - Users may create and update all objects within a program.
Reader - Users may view/read but may not update objects.

Setting Program Permissions

The Program Manager is assigned during creation of the program
Program Roles may be assigned by navigating to Programs, select the program you wish to modify, then editing the Roles for the program.

Audit Permissions

By default, audit permissions inherit the permissions of an associated program. If no program is associated, Global permissions and explicitly defined permissions apply.
When creating an object, an audit Manager may be assigned. Once saved, a program auditor may be defined.
Users added to the Audit Managers field can be in an Administrator, Editor, or Contributor role.
During the course of an audit, as tasks are created and assigned, Surveys are sent, and objects are mapped, users may gain access to some or all parts of the audit depending on their Global Role and the types of objects mapped.
- When assigning a user to an object, they will acquire Write access to that object, and Read access to all first-level mapped objects (ie, all objects, programs, etc.) which are directly mapped to that object.

Object Specific Permissions

ZenGRC creates mapped objects which may include users, programs, audits, tasks, and more.
These permissions by default inherit the permissions of the context within which they are created, however mapping an object via assigning a role, task, etc. may expand the permissions of that object.
During the course of ZenGRC use, as tasks are created and assigned, Surveys are sent, and objects are mapped, etc., users may gain access to other programs, audits, and objects depending on their Global Role and the types of objects mapped.
- When assigning a user to an object, they will acquire Write access to that object, and Read access to all first-level mapped objects (ie, all objects, programs, etc.) which are directly mapped to that object.

Risk Access Control

Permissions surrounding objects used to evaluate risk have their own access control. Please see the documentation at Role-Based Permissions for Risk.

Other Helpful Content

•  Access and User Assistance
•  System of Record List Views
•  Actions on the Details Page
•  Creating New Objects
•  Favorites
•  Quick Tips for End Users (Printable)
•  Searching the Left-Hand Navigation

Browser not supported