...
| Permission | Enduser | Viewer | Expert | Admin | IT Support | |||||||
| (ENDUSER) | (VIEWER) | (EXPERT) | (ADMIN) | (IT_SUPPORT) | ||||||||
| Example employee position --> | Normal user | Internal Audit | ICS Responsible | Admin | for AreaIT Support | |||||||
| Read Control Setup | X | X | X | |||||||||
| Edit Control Setup | X | X | ||||||||||
| Read Control Task | X 11) | X | X | X | ||||||||
| Provide support for Control Task 8) | X | |||||||||||
| Edit own/delegated Control Task | X | |||||||||||
| Submit own/delegated1) Control Task | X | |||||||||||
| Read Report | X 13) | X | X | X | ||||||||
| Edit Action/Report | X | X | ||||||||||
| Create Action | X2) | X | X | |||||||||
| Read Action | X 11) | X | X | X | ||||||||
| Provide support for Action 8) | X | |||||||||||
| Capture implementation progress | X3) | X | X | |||||||||
| Close Action | X4) | X | ||||||||||
| Read Risk/Process | X | X | X | |||||||||
| Edit Risk/Process | X | X | ||||||||||
| Link Risk/Process | X | X | ||||||||||
| Read Risk Assessment | X | X | X | X | ||||||||
| Edit Risk Assessment | X | X | ||||||||||
| Switch User | X | |||||||||||
| Edit Deputation | X | X | X | |||||||||
| Read User Rights | X | X | ||||||||||
| Edit User Rights | X | X | ||||||||||
| Edit Employees/OrgUnits | X | X | Read Area | X | X | X | Create AreaX | X | ||||
| Edit Area | X | X | X | Edit System Configuration | X | X | ||||||
| Read System Parameter/BatchJobs | X | X | ||||||||||
| Edit System Parameter/BatchJobs | X | |||||||||||
| Read Incidents | X 11) | X 12) | X 12) | X | ||||||||
| Edit Incidents | X 12) | X | ||||||||||
| Read Document 9) | X 11) | X | X | X | X | |||||||
| Edit (central) Document 9) 10) | X | X |
...
| Berechtigung | Control Expert | Control Viewer | Action Expert | Action Viewer | Risk Expert | Risk Viewer | Incident Expert | Incident Viewer | Document Admin | Document Viewer | User Admin | System Admin | Coordinator | Control Coordinator | Action Coordinator | ||||||||||
(CONTROL_ | (CONTROL_ | (ACTION_ | (ACTION_ | (RISK_ | (RISK_ | (INCIDENT_ EXPERT) | (INCIDENT_ VIEWER) | (DOCUMENT_ADMIN)* | (DOCUMENT_VIEWER)* | (USER_ ADMIN) | (SYSTEM_ ADMIN) | (COORDINATOR) | (CONTROL_ COORDINATOR) | (ACTION_ COORDINATOR) | |||||||||||
| Hints --> | IcS (Internal Controls) | IA (Issues & Actions) | Risk Management | Operationel Incidents | DMS (Documents) | Administration | Rarely used | ||||||||||||||||||
| Read Control Setup | X | X | X | X | |||||||||||||||||||||
| Edit Control Setup | X | ||||||||||||||||||||||||
| Read Control Task | X | X | X | X | |||||||||||||||||||||
| Provide support for Control Task 8) | X | X | |||||||||||||||||||||||
| Edit own/delegated Control Tasks | |||||||||||||||||||||||||
| Close own/delegated1) Control Tasks | |||||||||||||||||||||||||
| Read Report | X | X | |||||||||||||||||||||||
| Edit Action/Report | X | ||||||||||||||||||||||||
| Create Action | X | ||||||||||||||||||||||||
| Read Action | X | X | X | X | |||||||||||||||||||||
| Provide support for Action 8) | X | X | |||||||||||||||||||||||
| Capture implementation progress | X | X | X | ||||||||||||||||||||||
| Close Action | X | X | |||||||||||||||||||||||
| Read Risk/Process | X | X | |||||||||||||||||||||||
| Edit Risk/Process | X | ||||||||||||||||||||||||
| Link Risk/Process | X | X | X | ||||||||||||||||||||||
| Read Risk Assessment | X | X | |||||||||||||||||||||||
| Edit Risk Assessment | X | ||||||||||||||||||||||||
| Switch User | X | X | X | ||||||||||||||||||||||
| Edit Deputation | X | X | X5) | X6) | |||||||||||||||||||||
| Read User Rights | X | X | X | X | |||||||||||||||||||||
| Edit User Rights | X | ||||||||||||||||||||||||
| Edit Employees/OrgUnits | X | ||||||||||||||||||||||||
| Read Area | X | X | X | Create Area | X | Edit Area | X | X | X | Edit System Configuration | X | ||||||||||||||
| Read System Parameter/BatchJobs | X | ||||||||||||||||||||||||
| Edit System Parameter/BatchJobs | X | ||||||||||||||||||||||||
| Read Incidents | X 12) | X 12) | |||||||||||||||||||||||
| Edit Incidents | X 12) | ||||||||||||||||||||||||
| Read Document 9) | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | ||||||||||
| Edit (central) Document 9) 10) | X | ||||||||||||||||||||||||
...
1) if delegated including Submit
2) if action type allows creation by Enduser
3) only if "May Edit" checkbox is selected for Action Owner
4) only if "May Edit" checkbox is selected for Action Owner & Enduser = Primary Action Owner
5) only for Controls
6) only for Actions
8) via Switch User
9) Scopes are: OrgUnit
10) Relevant for «central» documents – for attachments (e.g. of Tasks / Actions, ...) this right is not
11) with own OrgUnit
12) checked are Area AND Incident Type or OrgUnit AND Incident Type
13) only if the Enduser receives "additional read right" in a specific Report
Scopes
...
determine the reach of the role
Depending on the role it is possible to limit the reach of the role via scopes.
This way, user rights can be given for a certain part in the organization in accordance with the Je nach Rolle sind verschiedene Scope-Einschränkungen möglich. Scopes bestimmen die Reichweite / Gültigkeitsgebiet der Rechte.
So können Rechte nur für einen bestimmten Area vergeben und sehr fein granular gemäss "Need-to-know" -Prinzip vergeben werdenprinciple.
Nachfolgend die in der Applikation vorhandenen Scopes zur Übersicht. Hinweis: nicht alle Scopes sind für jede Rolle relevantFollowing is an overview of the available scopes. Hint: not all scopes are relevant for all roles.
| Scope | ErklärungExplanation | Details und Hinweisehints | |||
|---|---|---|---|---|---|
| OrgUnit | bestimmt für welche OrgUnits die Rolle vergeben wird | Die genannte OrgUnit’s und alle darunter liegenden werden dem Benutzer freigeschaltet. Mehrfach-Nennungen sind möglich. | |||
| Area | bestimmt für welche Areae die Rolle vergeben wird | Die genannte Areae und alle darunter liegenden werden dem Benutzer freigeschaltet. Mehrfach-Nennungen sind möglich. | |||
| specifies for which OrgUnit the role is given (hierarchical scope) | multiple selection possible | ||||
| Incident Types | limits the role to certain incident types | only relevant für module OpLoss (Operational | Incident-Typen | ermöglicht die Einschränkung auf bestimmte Incidenttypen | nur relevant für das Modul OpLoss (Operationelle Incidents) |
| Risk Assessment-Typen | ermöglicht die Einschränkung auf bestimmte Risk Assessment-Typen | Diese Reichweite wird mit OrgUnit und Area kombiniert - falls weder OrgUnit noch Area gefüllt oder das Dropdown bei "Nur ausgewählte RA-Typen" leer ist, erhält der Benutzer keine Rechte auf Risk Assessments. | |||
| Document-Typen | ermöglicht die Einschränkung auf bestimmte Document-Typen | nur relevant für das Modul DMS, falls es relevante Documenten-Typen gibt |
Zusatzinformationen
Es gibt an einzelnen Stellen zusätzliche Regelungen die betreffend Benutzer-Rechten relevant sein können:
| limits the role to certain risk assessment types | this scope is combined with OrgUnit | |
| Document-Typen | limits the role to certain document types | only relevant for module DMS |
Additional info
There are some specific points that need to be mentioned:
- A User Admin cannot change its own In Produktion kann ein Administrator seine eigenen Rechte nicht ändern, in den Test-Umgebungen hingegen schon.
- Einzelne Rollen / Scopes sind nur relevant wenn die entsprechenden Module genutzt werden
- Some roles / scopes are only relevant for specific modules
- In some places there are additional settings that restrict user rights further, e.g.:
- "Closed user group" in OrgUnits
- "Always visible for own OrgUnit" im Document Type
- "Geschlossener Benutzerkreis" in den OrgUnit's
- "Immer sichtbar für eigene OrgUnit" im Documenten-Typ (DMS)