Assign Control to Owning Group Instead of Owner

Gene Manuel1 · ‎07-24-2019

We would like to use "Owning Group" instead of owner in the Control record for Attestations. However, if a Control is in "Draft" State and you try to update the Control without an owner, you get the following error: "

"The following mandatory fields are not filled in: Attestation respondents"

There's concern a Control will be set for Attestation and the person identified as the Owner may not be with the company or is out on PTO.

Gene Manuel1 · ‎07-25-2019

It occurred to me that the reason they set up the Attestations so it goes to an Owner instead of the group has less to do with being able to configure the platform to do it, but rather because of the principles of Policy and Compliance. Say for instance we set up a attestation to go to a group of developers responsible for securing an application. One of the developers completes the attestation, unaware that the app has not been secured by the rest of the group and there is still work to be done. Later down the road, a security flaw is found with the app, and the onus falls on the developer that completed the attestation on behalf of the group. So it makes sense that an Owner is identified and designated to take the assessment who can be held accountable should things go south, which would generally be a manager.

With that said, I think just answered my own question. We'll probably stay with Owner rather than Owner Group.

View solution in original post

John Gilaspy · ‎07-24-2019

Quite a common concern. I've programmatically addressed that by inserting code that checks whether or not the respondent is still active, and if not, replacing the individual with the owner, if not the same person. If the same, replacing the owner with the default owner for the profile type. Either way, preventing the attestation from being generated, and notifying the owner of the issue helps address it. As for the Owning group, the OOB code that automatically sets the initial respondent to the owner would have to apply all group members as initial respondents, which isn't great either, since attestations are required of all respondents, not just one.

Gene Manuel1 · ‎07-25-2019

It occurred to me that the reason they set up the Attestations so it goes to an Owner instead of the group has less to do with being able to configure the platform to do it, but rather because of the principles of Policy and Compliance. Say for instance we set up a attestation to go to a group of developers responsible for securing an application. One of the developers completes the attestation, unaware that the app has not been secured by the rest of the group and there is still work to be done. Later down the road, a security flaw is found with the app, and the onus falls on the developer that completed the attestation on behalf of the group. So it makes sense that an Owner is identified and designated to take the assessment who can be held accountable should things go south, which would generally be a manager.

With that said, I think just answered my own question. We'll probably stay with Owner rather than Owner Group.

Ashik3 · ‎07-30-2019

Hi Gene,

It would be more wise if you put the responsibility and accountability at the profile level and make the control and attestations available to a group rather than a single person.

Thanks,
Ashik

Rawan Alzuhir · ‎10-29-2023

Hi @Ashik3

please I need to know one way to be able to assign the Attestation to the group,

Regards,