Permissions surrounding ZenGRC objects used to evaluate risk now have their own access control. This is an important security step to limit visibility of your organization's sensitive information.
The risk management objects that are involved with this change include the following:
Risks
Threats
Vulnerabilities
Incidents
Risk Access Control
Only those listed in the Owner fields of the above risk objects can see the items, as well as anyone in an Administrator role.
The following outlines permissions for other items in ZenGRC:
Programs - If risk management items are mapped to a program, they are not visible to users assigned to fields in that program, unless those users are administrators.
Audits - For audit-specific roles, those assigned to the Audit Manager and Auditor fields are not able to see any risk group items mapped to that audit.
Tasks, Requests, Assessments - If an assignable item (i.e. task, request, assessment) has a mapped risk, users assigned to that item can see the risk.
In addition, the following are areas in ZenGRC where access is restricted:
System of Record for Risks, Threats, Vulnerabilities, Incidents - These links are visible; however, only those with administrative access or who are listed as object owners can see individual items.
Risk Heatmap - This link is not available to editors and readers, even if they are object owners on a risk management item.
Compliance Dashboard - Certain areas of this dashboard are locked down. The section called High risk entities and the mini Risk Heatmap are not visible to editors and readers, even if they are object owners on a risk management item.