Issues and Data Security
For issues to be raised against an object record, at least one user must be authorized as its issue owner or issue validator. If a risk has no issue owner or validator, for instance, issues can't be raised against it.
If at least one user has either of these authorizations for a record, any user assigned a role with the appropriate privilege can raise an issue against the record. If not among those authorized as issue owner or validator, however, that user initially can't work at resolving the issue.
However, when a user is authorized in an object record as an issue owner or an issue validator, that user is an owner of the issues raised against that record. So within the record of the issue, the owner can use Security Assignment to authorize other users as owner, editor, or viewer, and as reviewer, approver, issue owner, and issue validator.
Conceptually, the issue-owner authorization enables a user to resolve issues, and the issue-validator authorization enables a user to validate issues. At the moment the issue is created:
-
If users are granted the issue-owner authorization, but no one is authorized as issue validator, the authorized users work at resolving issues, and the validation process is skipped.
-
If users are granted the issue-validator authorization, but no one is authorized as issue owner, the authorized users both validate issues raised against the record and work to resolve those issues.
-
If users are granted both authorizations, then issue validators perform the validation process and issue owners work at resolving validated issues.
Remediation plans are secured separately from issues. The person who creates a remediation plan is its owner, and can authorize other users as owners, editors, and viewers, and as reviewers and approvers. But these users have access to the issue related to a remediation plan only if they're authorized to work with the issue. Similarly, users authorized to work with an issue can see its related plan only if they're authorized to see the plan.