As a quick introduction, here is a hierarchical view of the different Roles. Click on the different levels to see subjacent roles:
In the following table, you find an overview over the most important roles and rights, to offer a simple glance of the the most important roles. For more advanced needs, you can further divide the roles of Expert, Viewer and Admin into more fine-grained roles, details of which are listed in the second table at the end of the page.
The roles in capital letters are used for user rights synchronisation via LDAP, see LDAP (Active Directory) Systemparameter, Parameter LDAP_SECURITY_GROUPS_MAPPING.
Most important roles
| Permission | Enduser | Viewer | Expert | Admin | IT Support |
| (ENDUSER) | (VIEWER) | (EXPERT) | (ADMIN) | (IT_SUPPORT) | |
| Example employee position --> | Normal user | Internal Audit | ICS Responsible | Admin for Area | IT Support |
| Read Control Setup | X | X | X | ||
| Edit Control Setup | X | X | |||
| Read Control Task | X 11) | X | X | X | |
| Provide support for Control Task 8) | X | ||||
| Edit own/delegated Control Task | X | ||||
| Submit own/delegated1) Control Task | X | ||||
| Read Report | X 13) | X | X | X | |
| Edit Action/Report | X | X | |||
| Create Action | X2) | X | X | ||
| Read Action | X 11) | X | X | X | |
| Provide support for Action 8) | X | ||||
| Capture implementation progress | X3) | X | X | ||
| Close Action | X4) | X | |||
| Read Risk/Process | X | X | X | ||
| Edit Risk/Process | X | X | |||
| Link Risk/Process | X | X | |||
| Read Risk Assessment | X | X | X | X | |
| Edit Risk Assessment | X | X | |||
| Switch User | X | ||||
| Edit Deputation | X | X | X | ||
| Read User Rights | X | X | |||
| Edit User Rights | X | X | |||
| Edit Employees/OrgUnits | X | X | |||
| Read Area | X | X | X | ||
| Create Area | X | X | |||
| Edit Area | X | X | X | ||
| Edit System Configuration | X | X | |||
| Read System Parameter/BatchJobs | X | X | |||
| Edit System Parameter/BatchJobs | X | ||||
| Read Incidents | X 11) | X 12) | X 12) | X | |
| Edit Incidents | X 12) | X | |||
| Read Document 9) | X 11) | X | X | X | X |
| Edit (central) Document 9) 10) | X | X |
Further roles, fine-grained according to functional scope:
| Berechtigung | Control Expert | Control Viewer | Action Expert | Action Viewer | Risk Expert | Risk Viewer | Incident Expert | Incident Viewer | Document Admin | Document Viewer | User Admin | System Admin | Coordinator | Control Coordinator | Action Coordinator |
(CONTROL_ | (CONTROL_ | (ACTION_ | (ACTION_ | (RISK_ | (RISK_ | (INCIDENT_ EXPERT) | (INCIDENT_ VIEWER) | (DOCUMENT_ADMIN)* | (DOCUMENT_VIEWER)* | (USER_ ADMIN) | (SYSTEM_ ADMIN) | (COORDINATOR) | (CONTROL_ COORDINATOR) | (ACTION_ COORDINATOR) | |
| Hints --> | IcS (Internal Controls) | IA (Issues & Actions) | Risk Management | Operationel Incidents | DMS (Documents) | Administration | Rarely used | ||||||||
| Read Control Setup | X | X | X | X | |||||||||||
| Edit Control Setup | X | ||||||||||||||
| Read Control Task | X | X | X | X | |||||||||||
| Provide support for Control Task 8) | X | X | |||||||||||||
| Edit own/delegated Control Tasks | |||||||||||||||
| Close own/delegated1) Control Tasks | |||||||||||||||
| Read Report | X | X | |||||||||||||
| Edit Action/Report | X | ||||||||||||||
| Create Action | X | ||||||||||||||
| Read Action | X | X | X | X | |||||||||||
| Provide support for Action 8) | X | X | |||||||||||||
| Capture implementation progress | X | X | X | ||||||||||||
| Close Action | X | X | |||||||||||||
| Read Risk/Process | X | X | |||||||||||||
| Edit Risk/Process | X | ||||||||||||||
| Link Risk/Process | X | X | X | ||||||||||||
| Read Risk Assessment | X | X | |||||||||||||
| Edit Risk Assessment | X | ||||||||||||||
| Switch User | X | X | X | ||||||||||||
| Edit Deputation | X | X | X5) | X6) | |||||||||||
| Read User Rights | X | X | X | X | |||||||||||
| Edit User Rights | X | ||||||||||||||
| Edit Employees/OrgUnits | X | ||||||||||||||
| Read Area | X | X | X | ||||||||||||
| Create Area | X | ||||||||||||||
| Edit Area | X | X | X | ||||||||||||
| Edit System Configuration | X | ||||||||||||||
| Read System Parameter/BatchJobs | X | ||||||||||||||
| Edit System Parameter/BatchJobs | X | ||||||||||||||
| Read Incidents | X 12) | X 12) | |||||||||||||
| Edit Incidents | X 12) | ||||||||||||||
| Read Document 9) | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X |
| Edit (central) Document 9) 10) | X | ||||||||||||||
*LDAP synchronization not yet implemented
Footnotes and details:
1) if delegated including Submit
2) if action type allows creation by Enduser
3) only if "May Edit" checkbox is selected for Action Owner
4) only if "May Edit" checkbox is selected for Action Owner & Enduser = Primary Action Owner
5) only for Controls
6) only for Actions
8) via Switch User
9) Scopes are: OrgUnit
10) Relevant for «central» documents – for attachments (e.g. of Tasks / Actions, ...) this right is not
11) with own OrgUnit
12) checked are Area AND Incident Type or OrgUnit AND Incident Type
13) only if the Enduser receives "additional read right" in a specific Report
Scopes bestimmen die Reichweiten der Berechtigungen
Je nach Rolle sind verschiedene Scope-Einschränkungen möglich. Scopes bestimmen die Reichweite / Gültigkeitsgebiet der Rechte.
So können Rechte nur für einen bestimmten Area vergeben und sehr fein granular gemäss "Need-to-know"-Prinzip vergeben werden.
Nachfolgend die in der Applikation vorhandenen Scopes zur Übersicht. Hinweis: nicht alle Scopes sind für jede Rolle relevant.
| Scope | Erklärung | Details und Hinweise |
|---|---|---|
| OrgUnit | bestimmt für welche OrgUnits die Rolle vergeben wird | Die genannte OrgUnit’s und alle darunter liegenden werden dem Benutzer freigeschaltet. Mehrfach-Nennungen sind möglich. |
| Area | bestimmt für welche Areae die Rolle vergeben wird | Die genannte Areae und alle darunter liegenden werden dem Benutzer freigeschaltet. Mehrfach-Nennungen sind möglich. |
| Incident-Typen | ermöglicht die Einschränkung auf bestimmte Incidenttypen | nur relevant für das Modul OpLoss (Operationelle Incidents) |
| Risk Assessment-Typen | ermöglicht die Einschränkung auf bestimmte Risk Assessment-Typen | Diese Reichweite wird mit OrgUnit und Area kombiniert - falls weder OrgUnit noch Area gefüllt oder das Dropdown bei "Nur ausgewählte RA-Typen" leer ist, erhält der Benutzer keine Rechte auf Risk Assessments. |
| Document-Typen | ermöglicht die Einschränkung auf bestimmte Document-Typen | nur relevant für das Modul DMS, falls es relevante Documenten-Typen gibt |
Zusatzinformationen
Es gibt an einzelnen Stellen zusätzliche Regelungen die betreffend Benutzer-Rechten relevant sein können:
- In Produktion kann ein Administrator seine eigenen Rechte nicht ändern, in den Test-Umgebungen hingegen schon.
- Einzelne Rollen / Scopes sind nur relevant wenn die entsprechenden Module genutzt werden
- teilweise gibt es zusätzliche Einstellungen in den Configurationen um weitere Vertraulichkeitsstufen zu definieren, zwei Beispiele:
- "Geschlossener Benutzerkreis" in den OrgUnit's
- "Immer sichtbar für eigene OrgUnit" im Documenten-Typ (DMS)