As a quick introduction, here is a hierarchical view of the different Roles. Click on the different levels to see subjacent roles:






In the following table, you find an overview over the most important roles and rights, to offer a simple glance of the the most important roles. For more advanced needs, you can further divide the roles of Expert, Viewer and Admin into more fine-grained roles, details of which are listed in the second table at the end of the page.

The roles in capital letters are used for user rights synchronisation via LDAP, see  LDAP (Active Directory) Systemparameter, Parameter LDAP_SECURITY_GROUPS_MAPPING.

Most important roles

PermissionEnduserViewerExpertAdminIT Support
(ENDUSER)(VIEWER)(EXPERT)(ADMIN)(IT_SUPPORT)
Example employee position -->Normal userInternal AuditICS ResponsibleAdminIT Support
Read Control Setup
XX
X
Edit Control Setup

X
X
Read Control TaskX 11)XX
X
Provide support for Control Task 8)



X
Edit own/delegated Control TaskX



Submit own/delegated1) Control TaskX



Read ReportX 13)XX
X
Edit Action/Report

X
X
Create ActionX2)
X
X
Read ActionX 11)XX
X
Provide support for Action 8)



X
Capture implementation progressX3)
X
X
Close ActionX4)


X
Read Risk/Process
XX
X
Edit Risk/Process

X
X
Link Risk/Process

X
X
Read Risk AssessmentXXX
X
Edit Risk Assessment

X
X
Switch User



X
Edit DeputationX

XX
Read User Rights


XX
Edit User Rights


XX
Edit Employees/OrgUnits


XX
Edit System Configuration


XX
Read System Parameter/BatchJobs


XX
Edit System Parameter/BatchJobs



X
Read IncidentsX 11)X 12)X 12)
X
Edit Incidents

X 12)
X
Read Document  9)X 11)XXXX
Edit (central) Document  9) 10)


XX


Further roles, fine-grained according to functional scope:

Berechtigung


Control ExpertControl ViewerAction ExpertAction ViewerRisk ExpertRisk ViewerIncident ExpertIncident ViewerDocument AdminDocument ViewerUser AdminSystem AdminCoordinatorControl CoordinatorAction Coordinator

(CONTROL_
EXPERT)

(CONTROL_
VIEWER)

(ACTION_
EXPERT)

(ACTION_
VIEWER)

(RISK_
EXPERT)

(RISK_
VIEWER)

(INCIDENT_
EXPERT)		(INCIDENT_
VIEWER)

(DOCUMENT_ADMIN)*

(DOCUMENT_VIEWER)*

(USER_
ADMIN)		(SYSTEM_
ADMIN)		(COORDINATOR)(CONTROL_
COORDINATOR)		(ACTION_
COORDINATOR)
Hints -->IcS (Internal Controls)IA (Issues & Actions)Risk ManagementOperationel IncidentsDMS (Documents)AdministrationRarely used
Read Control SetupXX









XX
Edit Control SetupX













Read Control TaskXX









XX
Provide support for Control Task 8)











XX
Edit own/delegated Control Tasks














Close own/delegated1) Control Tasks














Read Report

XX










Edit Action/Report

X











Create Action

X











Read Action

XX







X
X
Provide support for Action 8)











X
X
Capture implementation progress

X








X
X
Close Action











X
X
Read Risk/Process



XX








Edit Risk/Process



X









Link Risk/ProcessX
X
X









Read Risk Assessment



XX








Edit Risk Assessment



X









Switch User











XXX
Edit Deputation









X
XX5)X6)
Read User Rights









X
XXX
Edit User Rights









X



Edit Employees/OrgUnits









X



Edit System Configuration










X


Read System Parameter/BatchJobs










X


Edit System Parameter/BatchJobs










 X


Read Incidents





X 12)X 12)






Edit Incidents





X 12)







Read Document 9)XXXXXXXXXXXXXXX
Edit (central) Document 9) 10)








X





*LDAP synchronization not yet implemented


Footnotes and details:

1) if delegated including Submit
2) if action type allows creation by Enduser
3) only if "May Edit" checkbox is selected for Action Owner
4) only if "May Edit" checkbox is selected for Action Owner & Enduser = Primary Action Owner
5) only for Controls
6) only for Actions
8) via Switch User
9) Scopes are: OrgUnit
10) Relevant for «central» documents – for attachments (e.g. of Tasks / Actions, ...) this right is not 
11) with own OrgUnit
12) checked are OrgUnit AND Incident Type 
13) only if the Enduser receives "additional read right" in a specific Report


Scopes determine the reach of the role

Depending on the role it is possible to limit the reach of the role via scopes.
This way, user rights can be given for a certain part in the organization in accordance with the "Need-to-know" principle. 

Following is an overview of the available scopes. Hint: not all scopes are relevant for all roles.


ScopeExplanationDetails und hints
OrgUnitspecifies for which OrgUnit the role is given (hierarchical scope)multiple selection possible
Incident Typeslimits the role to certain incident types only relevant für module OpLoss (Operational Incidents)
Risk Assessment-Typenlimits the role to certain risk assessment types this scope is combined with OrgUnit
Document-Typenlimits the role to certain document types only relevant for module DMS


Additional info

There are some specific points that need to be mentioned:

  • A User Admin cannot change its own In Produktion kann ein Administrator seine eigenen Rechte nicht ändern, in den Test-Umgebungen hingegen schon. 
  • Some roles / scopes are only relevant for specific modules
  • In some places there are additional settings that restrict user rights further, e.g.:
    • "Closed user group" in OrgUnits
    • "Always visible for own OrgUnit" im Document Type (DMS)
  • Keine Stichwörter