CAM user roles

  • Release version: Zurich
  • Updated October 8, 2025
  • 6 minutes to read

    • Assign users and groups with roles to prepare them to use the CAM application.

    Role permissions and responsibilities

    Role title [name] Description Contains roles
    Authorization Official

    (sn_irm_cont_auth.authorization_official)

    		 Responsible for accepting an information system into an operational environment at a known risk level.

    The Authorization Official is entitled to approve and update authorization packages.

    You can perform the following actions:
    • Activate/Deactivate Package
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Refresh Risk Summary

    • Approve the approval requests

    You can read the following:
    • Authorization Boundary (If Authorization official is named)
    • Authorization Package (If Authorization official is named)
    • System Elements
    • Information Types
    • Information Types Library
    • Control Objectives
    • Control Objective Requirements
    • Control Overlays
    • All Controls
    • Control Requirements
    • Assessment Procedures
    • POA&Ms
    You can update the following fields in the package:
    • Mission/Business process
    • Add comments
    • Name
    • Acronym
    • 800-53 version
    • System purpose
    • PTA/PIA section fields
    • Roles and responsibilities section (SCA, ISSO, ISSM, AODR)

      Active

    		 sn_irm_cont_auth.reader
    Continuous Authorization and Monitoring administrator

    (sn_irm_cont_auth.admin)

    		 Responsible for all system administration duties in the CAM application.
    You can create, read, update, and delete the following:
    • Authorization Boundary
    • Boundary Filter (You have access to create)
    • System Elements (You have access to create and read)
    • Delete Authorization Boundary
    • Authorization Package
    • Activate/Deactivate Package
    • Move the Package to Next Stage
    • Information Types
    • Baseline Controls Add
    • Baseline Controls Mark as Common
    • Baseline Controls Mark as Not Applicable
    • Baseline Controls Inherit from Provider
    • Baseline Controls Hybrid
    • Baseline Controls - Return to Baseline Control
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • Back To Previous
    • Delete Authorization Pack
    • Send PIA
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Information Types Library
    • Control Objectives (You have access to create, read, and update)
    • Control Objectives Requirement (You have access to create, read, and update)
    • Control Overlays (You have access to create, read, and update)
    • Issues (You have access to create, read, and update)
    • All Engagements
    • Control Tests
    • Test Plans
    • Test Templates
    • All Controls
    • Control Requirement
    • Assessment Procedures

    You can update the POA&Ms.
    • sn_audit.manager
    • sn_irm_cont_auth.reader
    • sn_irm_cont_auth.scheduler
    • sn_compliance.admin
    • sn_audit.admin
    • sn_doc.admin
    • sn_risk.admin
    • sn_grc_workspace.state_model_admin
    • sn_grc_doc_design.admin
    • sn_irm_shared_cmn.word_template_creator
    Executive Reader

    (sn_irm_cont_auth.executive_read)

    		 Read-only access to all modules of the CAM application.
    You can read the following:
    • Authorization Boundary
    • Boundary Filter
    • System Elements
    • Authorization Package
    • Information Types
    • Refresh Risk Summary
    • Information Types Library
    • Control Objectives
    • Control Objectives Requirement
    • Control Overlays
    • Control Tests
    • Test Plans
    • Test Templates
    • All Controls
    • Control Requirement
    • Assessment Procedures
    • POA&Ms
    		 sn_irm_cont_auth.reader. Users with this role can access CAM Workspace.
    Information Owner

    (sn_irm_cont_auth.information_owner)

    		 Responsible for statutory, management, or operational authority and the establishment of policies and procedures governing its generation, collection, processing, dissemination, and disposal. The user can also update information types of an authorization package.
    You can create, read, update, and delete the following:
    • PIA Take Response
    • PIA View Response
    • Information Types (You have access to create and delete)
    • Refresh Risk Summary
    • Assessment Procedures
    • Issues (You have access to create, read, and update)
    • Test Plans (You have access to create, read, and update)
    • Test Templates (You have access to create, read, and update)
    You can read the following:
    • Authorization Boundary
    • System Elements
    • Authorization Package
    • Information Types Library
    • Control Objectives
    • Control Objectives Requirement
    • Control Overlays
    • All Engagements
    • Control Tests
    • All Controls
    • Control Requirement

    You can update the POA&Ms.
    • sn_audit.user
    • sn_irm_cont_auth.reader
    Information System Security Manager

    (sn_irm_cont_auth.info_system_sec_manager)

    		 Responsible for conducting information system security management activities. They develop and maintain the system-level cybersecurity program.

    Can update the authorization package.

    You can create, read, update, and delete the following:
    • Activate/Deactivate Package
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Authorization Package (You can only read and update)
    • Control Objectives (You can only create, read, and update)
    • Control Objectives Requirement (You can only create, read, and update)
    • Control Overlays (You can only create, read, and update)
    • Issues (You can only create, read, and update)
    • All Controls (You can only create, read, and update)
    • Control Requirement (You can only create, read, and update)
    You can read the following:
    • Authorization Boundary
    • System Elements
    • Information Types
    • Information Types Library
    • Assessment Procedures

    You can update the POA&Ms.
    • sn_compliance.user
    • sn_irm_cont_auth.reader
    • sn_risk.user
    Information System Security Officer

    (sn_irm_cont_auth.info_system_sec_officer)

    		 Responsible for ensuring that the appropriate operational security posture is maintained for an information system.

    Can update the authorization package.

    You can create, read, update, and delete the following:
    • Activate/Deactivate Package
    • Move the Package to Next Stage
    • Baseline Controls Add
    • Baseline Controls Mark as Not Applicable
    • Baseline Controls Mark as Common
    • Baseline Controls Inherit from Provider
    • Baseline Controls Hybrid
    • Baseline Controls - Return to Baseline Control
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • Send PIA
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Assessment Procedures
    • Information Types Library (You can only read and update)
    • Authorization Package (You can only read and update)
    • Control Objectives (You can only create, read, and update)
    • Control Objectives Requirement (You can only create, read, and update)
    • Control Overlays (You can only create)
    • Test Plans (You can only create, read, and update)
    • Test Templates (You can only create, read, and update)
    • All Controls (You can only create, read, and update)
    • Control Requirement (You can only create, read, and update)
    You can update the following:
    • POA&Ms
    • Authorization Boundary
    You can read the following:
    • System Elements
    • Information Types
    • All Engagements
    • Control Tests
    • sn_risk.user
    • sn_compliance.user sn_irm_cont_auth.reader
    Reader

    (sn_irm_cont_auth.reader)

    		 Read-only role. Users with this role can access CAM Workspace.
    You can read the following:
    • Information Types
    • Information Types Library
    • Control Objectives
    • Control Objectives Requirement
    • Control Overlays
    • Control Tests
    • Test Plans
    • Test Templates
    • All Controls
    • Control Requirement
    • Assessment Procedures
    • POA&Ms
    • sn_vul.read_all
    • sn_si.read
    • sn_audit.reader
    • sn_incident_read
    • sn_grc_workspace.task_reader
    • sn_change_read
    • sn_compliance.reader
    • sn_grc_workspace.user
    Scheduler

    (sn_irm_cont_auth.scheduler)

    		 Responsible for running all scheduled jobs for the application. This role is for a technical user. sn_irm_cont_auth.system_owner
    Security Control Assessor

    (sn_irm_cont_auth.sec_control_assessor)

    		 Responsible for conducting a thorough assessment of the management, operational, and technical security controls of an information system.
    You can create, read, update, and delete the following:
    • Refresh Risk Summary
    • PIA Take Response
    • PIA View Response
    • Assessment Procedures
    • Authorization Package (You can only read and update)
    • All Engagements (You can only read and update)
    • Control Tests (You can only read and update)
    • Test Plans (You can only create, read, and update)
    • Test Templates (You can only create, read, and update)
    • All Controls (You can only create, read, and update)
    • Control Requirement (You can only create, read, and update)
    • Control Objectives (You can only create, read, and update)
    • Control Objectives Requirement (You can only create, read, and update)
    • Control Overlays (You can only create, read, and update)
    You read the following:
    • Authorization Boundary
    • System Elements
    • Information Types
    • Information Types Library

    You can update the POA&Ms.
    • sn_audit.manager
    • sn_compliance.user
    • sn_irm_cont_auth.reader
    System Owner

    (sn_irm_cont_auth.system_owner)

    		 Responsible for procuring, developing, integrating, modifying, operating, and maintaining an information system.
    You can create, read, update, and delete the following:
    • Authorization Boundary
    • Boundary Filter
    • System Elements
    • Delete Authorization Boundary
    • Authorization Package
    • Activate/Deactivate Package
    • Move the Package to Next Stage
    • Information Types
    • Baseline Controls Mark as Common
    • Baseline Controls Inherit from Provider
    • Baseline Controls Hybrid
    • Baseline Controls - Return to Baseline Control
    • Generate SSP
    • Generate SAR
    • Generate POA&M
    • Export OSCAL
    • Refresh Risk Summary
    • Send PIA
    • PIA Take Response
    • PIA View Response
    • Update Control Overlay on Package
    • Assessment Procedures
    • Control Objectives (You don’t access to delete)
    • Control Objectives Requirement (You don’t access to delete)
    • Test Plans (You don’t access to delete)
    • Test Templates (You don’t access to delete)
    • All Controls (You don’t access to delete)
    • Control Requirement (You don’t access to delete)
    You can read the following:
    • Information Types Library
    • All Engagements
    • Control Tests

    You can create the Control Overlays.

    You can update the POA&Ms.
    • sn_audit.user
    • sn_compliance.user
    • sn_irm_cont_auth.reader
    • sn_risk.user
    System User

    (sn_irm_cont_auth.system_user)

    		 Responsible for performing actual work in the system. They can update authorization boundaries, filter, elements, milestones, and acceptance tasks.
    • business user
    • sn_audit.user
    • sn_irm_cont_auth.reader