Secure Records in Financial Reporting Compliance
To work with records of processes, risks, controls, issues, remediation plans, assessments, or surveys, a user must be both "eligible" and "authorized" for them.
To be eligible for records of an object, a user must be assigned a role that grants privileges to work with that object. Then:
-
An eligible user who creates one of these records is automatically authorized as its owner.
-
The owner authorizes other eligible users as owners, editors, or viewers. An owner can edit details of the record, including its data-security configuration. An editor can't modify the security configuration, but can modify other details. A viewer can see record details, but can't change them. A user must have one of these authorizations to have access to the record.
-
Processes, risks, and controls may be associated with child objects. You can access records of these child objects only if you're authorized to work with their parent. For example, processes may have action items, but you can access only action items belonging to processes for which you're an owner, editor, or viewer. However, no matter how you've been authorized to work with a parent, you can create and edit child records. So, for example, the viewer of a process can only see the process itself, but can also create or edit action items for that process.
-
An owner may select users for additional authorizations, if appropriate for a record: reviewer or approver, issue owner or validator, or assessor. This type of authorization is distinct from the other. For example, a user may be selected both as a viewer of a risk record and an approver for that record. If so, the user can't edit the risk itself, but does have write access in the page to approve or reject the risk.
If you own a record, then to authorize users for it:
-
In most cases, click a Security Assignment button in the page to view or edit the record. This opens a Security Assignment page. (The button isn't available while the record is being created, but appears immediately after its creator saves or submits it for the first time.)
-
For assessments, configure security as you follow a "guided process" to initiate or edit assessment batches. As separate steps in the process, you secure the batch itself, and then individual assessments within the batch.
-
In a special case, the Security Assignment button for a control record provides links to two security pages:
-
In a Control Security Assignment page, you authorize access to the control record itself.
-
In a Default Assessment Security Assignment page, you may select assessment actors, who are then selected by default for all certification assessments of the control. (They're not assigned, however, to any type of control assessment other than certification.) The owner of an assessment batch that includes the control can modify these default security assignments.
-
In any of these cases, you can add individual users or user groups. A group is a set of users with an authorization for a type of object. Assigning groups to records (and users to groups) is typically the more efficient approach to managing security.
To select an individual user, click Add in a User Assignments panel. Search for and select a user in a Name field. Make the following selections, and then click a Save button.
-
In an Authorized As field, you must select one of the Owner, Editor, or Viewer values for each user.
In the Security Assignment page for an object, you can select less access than a user is eligible to have. For example, a user may be eligible to work with risk records at any of the three levels. If you select that user as a viewer for a risk, he can't edit that risk, even though he remains eligible to be selected as an owner or editor of other risks.
In the Default Assessment Security Assignment page for a control, Viewer is selected automatically. You can't make any other selection.
-
In an Authorizations area, select checkboxes for any number of additional authorizations.
In the Security Assignment page for an object, these vary according to the object you're working with. For any given user, these authorizations are optional. However, select at least one user for an authorization to implement the activity it authorizes. For example, issues can be raised against a record only if at least one user is authorized as Issue Owner or Issue Validator for that record.
In the Default Assessment Security Assignment page for a control, you use the Authorizations area to select assessors, reviewers, and approvers for certification assessments.
To select user groups, click Add in a Group Assignment panel. Search for and select a group, and then save that selection.
-
Each group has a single authorization. As you select a group for a record, you can view the authorization, but you can't change it. You may assign multiple groups to a record, to combine authorizations.
Every user must have the Owner, Editor, or Viewer authorization. So if you select a group with one of the "additional" authorizations (one you can select in the Authorizations area for an individual user), group members are also granted the Viewer authorization.
-
A group is available to be selected for a record only if at least one of its members is eligible for that record. Groups with no eligible users are excluded.
-
Over time, members may be added to or dropped from groups, or their role assignments may change. This may result in a group having been assigned to a record but no longer having members who are eligible for it. If so, a warning icon appears next to the group name.
To edit or delete a user or a group, click the edit icon in its row.