Hey Gene
Providing admin is not going to solve your problem - check here the roles for P&C - the role sn_compliance.admin in addition to the inherited permissions, the compliance admin can delete authority documents, citations, policies, control objectives, and controls.
So your main concern is sharing data i.e. "visible and editable" between the groups and want to limit the access? So you want a role to be able to create/edit/read authority documents, citations, control objectives, and controls but only for their group?
The first thing cross my mind was to have a kind of power user (a user with limited manager permissions).
Lets call this intermediate role as group_manager. So what can do the group manager?
- Bringing some functionalities from the manager - "create authority documents, citations, control objectives, and controls" but limited for only for their group.
- It will contain the sn_compliance.user (Contains the reader role in sn_grc scopes. In addition to the inherited permissions, the compliance reader can be assigned indicators templates, indicators, and issues.)
- Which will inherit the sn_compliance.reader. (Contains the reader and user roles in sn_grc scopes, and the reader role in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance user can be assigned controls and create policies, and has read-only access to the Risk Management application and modules.)
In order to limit the read access, you need to create a new user READ operation ACL for the table Controls and Policies to only allow read records if logged user is part of the same group as the control.owner (probably we need to find the right field to be our SoT) and inactivate the out of the box ones.
I think this is what you are looking for. Let me know your thoughts
Hey Gene
Providing admin is not going to solve your problem - check here the roles for P&C - the role sn_compliance.admin in addition to the inherited permissions, the compliance admin can delete authority documents, citations, policies, control objectives, and controls.
So your main concern is sharing data i.e. "visible and editable" between the groups and want to limit the access? So you want a role to be able to create/edit/read authority documents, citations, control objectives, and controls but only for their group?
The first thing cross my mind was to have a kind of power user (a user with limited manager permissions).
Lets call this intermediate role as group_manager. So what can do the group manager?
- Bringing some functionalities from the manager - "create authority documents, citations, control objectives, and controls" but limited for only for their group.
- It will contain the sn_compliance.user (Contains the reader role in sn_grc scopes. In addition to the inherited permissions, the compliance reader can be assigned indicators templates, indicators, and issues.)
- Which will inherit the sn_compliance.reader. (Contains the reader and user roles in sn_grc scopes, and the reader role in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance user can be assigned controls and create policies, and has read-only access to the Risk Management application and modules.)
In order to limit the read access, you need to create a new user READ operation ACL for the table Controls and Policies to only allow read records if logged user is part of the same group as the control.owner (probably we need to find the right field to be our SoT) and inactivate the out of the box ones.
I think this is what you are looking for. Let me know your thoughts
