Assign Continuous Authorization and Monitoring roles to your users

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read

    • Before you can successfully implement or use the Continuous Authorization and Monitoring application, you must assign roles to your users.

    Before you begin

    Role required: admin

    Procedure

    1. Navigate to All > User Administration > Users.
    2. Select the name of a user.
    3. Select the Roles tab.
    4. Select Edit.
    5. Move the roles that you want to assign to the user from the Collection side to the Roles List, then select Save.
    6. Repeat these steps for each of your users.
      Note:
      If Employee Operator plugin is installed, then each of these roles such as Authorization Official, Executive Reader, and the Reader roles is classified as a lite role.
      Role title [name] Description
      Authorization Official

      (sn_irm_cont_auth.authorization_official)

      		 The Authorization Official is responsible for accepting an information system into an operational environment at a known risk level.

      The Authorization Official is entitled to approve and update authorization packages.

      The Authorization Official role and contains:
      • sn_irm_cont_auth.reader
      Continuous Authorization and Monitoring administrator

      (sn_irm_cont_auth.admin)

      		 The Continuous Authorization and Monitoring administrator is responsible for all system administration duties in the Continuous Authorization and Monitoring application.
      The Continuous Authorization and Monitoring administrator role contains:
      • sn_audit.manager
      • sn_compliance.admin
      • sn_doc.admin
      • sn_irm_cont_auth.reader
      • sn_irm_cont_auth.scheduler
      Executive Reader

      (sn_irm_cont_auth.executive_read)

      		 The Executive Reader has read-only access to all modules of the Continuous Authorization and Monitoring application.

      The Executive Reader role contains: sn_irm_cont_auth.reader. Users with this role can access CAM Workspace.
      Information Owner

      (sn_irm_cont_auth.information_owner)

      		 The Information Owner is responsible for statutory, management, or operational authority and the establishment of policies and procedures governing its generation, collection, processing, dissemination, and disposal. The user can also update information types of an authorization package.
      The Information Owner role contains:
      • sn_audit.user
      • sn_irm_cont_auth.reader
      Information System Security Manager

      (sn_irm_cont_auth.info_system_sec_manager)

      		 Responsible for conducting information system security management activities. They develop and maintain the system-level cybersecurity program.
      The Information System Security Manager can update the authorization package and the role contains:
      • sn_compliance.user
      • sn_irm_cont_auth.reader
      Information System Security Officer

      (sn_irm_cont_auth.info_system_sec_officer)

      		 Responsible for ensuring that the appropriate operational security posture is maintained for an information system.
      The Information System Security Officer can update the authorization package and the role contains:
      • sn_compliance.user
      • sn_irm_cont_auth.reader
      Reader

      (sn_irm_cont_auth.reader)

      		 The Reader is a read-only role Users with this role can access CAM Workspace.
      The Reader role contains:
      • sn_audit.reader
      • sn_grc_workspace.task_reader
      • sn_grc_workspace.user
      • sn_compliance.reader
      • sn_incident_read
      • sn_change_read
      • sn_vul.read_all
      • sn_si.read
      Scheduler

      (sn_irm_cont_auth.scheduler)

      		 The Scheduler is responsible for running all scheduled jobs for the application. This role is for a technical user.

      The Scheduler role contains: sn_irm_cont_auth..system_owner.
      Security Control Assessor

      (sn_irm_cont_auth.sec_control_assessor)

      		 The Security Control Assessor (SCA) is responsible for conducting a thorough assessment of the management, operational, and technical security controls of an information system.
      The Security Control Assessor role contains:
      • sn_audit.manager
      • sn_compliance.user
      • sn_irm_cont_auth.reader
      System Owner

      (sn_irm_cont_auth.system_owner)

      		 The System Owner is responsible for procuring, developing, integrating, modifying, operating, and maintaining an information system.
      The System Owner role contains:
      • sn_audit.user
      • sn_compliance.user
      • sn_irm_cont_auth.reader
      System User

      (sn_irm_cont_auth.system_user)

      		 The System User is responsible for performing actual work in the system. They can update authorization boundaries, filter, elements, milestones, and acceptance tasks.
      The System User role contains:
      • sn_audit.user
      • sn_irm_cont_auth.reader
      • business user