Secure Records in Advanced Controls
To work with records of models, advanced controls, or incidents, a user must be both "eligible" and "authorized" for them.
To be eligible for records of an object, a user must be assigned a role that grants privileges to work with that object. Then:
-
An eligible user who creates one of these records is automatically authorized as its owner.
-
The owner authorizes other eligible users as owners, editors, or viewers. An owner can edit details of the record, including its data-security configuration. An editor can't modify the security configuration, but can modify other details. A viewer can see record details, but can't change them. A user must have one of these authorizations to have access to the record.
To authorize users:
-
An owner of a model clicks a Security Assignment button in the page to edit the model. This opens a Security Assignment page. (The button isn't available while the model is being created, but appears immediately after its creator saves or submits it for the first time.)
-
An owner of a control configures security for it and the incidents it generates as steps in the control-deployment process. Or, in the page to edit a control, the owner expands a Security Assignment list to select either of two Security Assignment pages, one for the control and one for its incidents.
-
An owner of an individual incident can open Security Assignment from the page to edit the incident. These security edits would apply to that incident, but not to others generated by its control.
In any of these cases, if you're an owner you can add individual users or user groups. A group is a set of users with an authorization for a type of object. Assigning groups to records (and users to groups) is typically the more efficient approach to managing security.
-
To select an individual user, click Add in a User Assignments panel. Search for and select a user in a Name field. In an Authorized As field, select Owner, Editor, or Viewer. Then click a Save button.
You can select less access than a user is eligible to have. For example, a user may be eligible to work with models at any of the three levels. If you select that user as a viewer for a model, he can't edit that model, even though he remains eligible to be selected as an owner or editor of other models.
-
To select a user group, click Add in a Group Assignment panel. Search for and select a group, and then save that selection.
Each group has a single authorization. As you select a group for a record, you can view the authorization, but you can't change it. You may assign multiple groups to a record, to combine authorizations.
A group is available to be selected for a record only if at least one of its members is eligible for that record. Groups with no eligible users are excluded.
Over time, members may be added to or dropped from groups, or their role assignments may change. This may result in a group having been assigned to a record but no longer having members who are eligible for it. If so, a warning icon appears next to the group name.
-
To edit or delete a user or group, click the edit icon in its row.