Role-Based Permissions for Risk
- Tristan Mohn (Deactivated)
- Victoria Buhler (Deactivated)
- Diana Jaffe (Deactivated)
Owned by Tristan Mohn (Deactivated)
Page Contents
Overview
Permissions surrounding ZenGRC objects used to evaluate risk now have their own access control. This is an important security step to limit visibility of your organization's sensitive information.
The risk management objects that are involved with this change include the following:
- Risks
- Threats
- Vulnerabilities
- Incidents
Risk Access Control
Only those listed in the Owner fields of the above risk objects can see the items, as well as anyone in an Administrator role.
The following outlines permissions for other items in ZenGRC:
- Programs - If risk management items are mapped to a program, they are not visible to users assigned to fields in that program, unless those users are administrators.
- Audits - For audit-specific roles, those assigned to the Audit Manager and Auditor fields are not able to see any risk group items mapped to that audit.
- Tasks, Requests, Assessments - If an action item (i.e. task, request, assessment) has a mapped risk, users assigned to that item can see the risk.
In addition, the following are areas in ZenGRC where access is restricted:
- System of Record for Risks, Threats, Vulnerabilities, Incidents - These links are visible; however, only those with administrative access or who are listed as object owners can see individual items.
- Risk Heatmap - This link is not available to editors and readers, even if they are object owners on a risk management item.
- Compliance Dashboard - Certain areas of this dashboard are locked down. The section called High Risk Entities and the mini Risk Heatmap are not visible to editors and readers, even if they are object owners on a risk management item.
Risk Object Workflow Considerations
- If an existing user needs access to the Risk Heatmap, the best option is to update their ZenGRC role to administrator.
- If an existing user needs access to any of the risk management objects, either add them to the Owner field of individual risk objects or change their ZenGRC role to administrator to see all objects.
- Remember that users assigned to tasks, requests and assessments can see any associated risks that are mapped to their assigned items.
© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com