Restricted access to GRC modules

Colin Chalmers
Tera Contributor

‎08-01-2023 06:36 AM

Hi,

 

I have a requirement to restrict access to GRC modules even more than what "sn_compliance.reader" and "sn_grc.business_user"  roles provide OOTB.

 

To keep things simple for now.

A user should only be allowed to read records in the Policy & Exception table.

I tried to setup up a new role 'sn_grc.security_officer_lite' to try this but now they cannot see any records from there at all.

The error message being "Number of rows removed from this list by Security constraints: 20"

 

 

 

These are the steps I took:

1. I added the role to the user

2. I added the role to the module Item "All Policy Exceptions"

3. I changed the existing read (sn_compliance_policy_exception) ACL to include the role as shown below.

 

It is actually on this last script that it doesn't work, I narrowed it down to the fact that the method "canReadConfidentialRecord" would return false. If I was just to have the check on the roles it "works".

 

Question is:

1. Is this the correct approach?

2. Why would the method return false when the record is not marked as being confidential?

 

 

 

answer = new sn_grc.GRCSecurityManager().canReadConfidentialRecord(current) &&
    (
        (gs.hasRole('sn_grc.confidential_user') ||
            (
                (gs.hasRole('sn_grc.business_user') ||
                    gs.hasRole('sn_grc.business_user_lite') ||
                    gs.hasRole('sn_compliance.reader') ||
                    gs.hasRole('sn_grc.security_officer_lite')) &&
                    new sn_compliance.PolicyException().hasReadAccess(current)
            )
        )
    );

 

 

 

0 Helpfuls
  • 700 Views
2 REPLIES 2

Community Alums
Not applicable

‎08-01-2023 07:22 AM

Hi @Colin Chalmers ,

You can keep it simple just restrict it at module level without touching ACLs and "canReadConfidentialRecord" !!

As per your steps:

1. I added the role to the user

2. I added the role to the module Item "All Policy Exceptions" 

Should be enough.

0 Helpfuls

Colin Chalmers
Tera Contributor
In response to Community Alums

‎08-01-2023 08:52 AM

Hi Sandeep,

 

Thanks for your input.

What you suggest is where I started but the following script is part of a default ACL on the table, I only tried to adapt to add the new role that I had setup. Unfortunately this is not the solution, yet.

 

answer = new sn_grc.GRCSecurityManager().canReadConfidentialRecord(current) && ((gs.hasRole('sn_grc.confidential_user') || ((gs.hasRole('sn_grc.business_user') || gs.hasRole('sn_grc.business_user_lite') || gs.hasRole('sn_compliance.reader')) && new sn_compliance.PolicyException().hasReadAccess(current))));

0 Helpfuls