Access Control List (ACL)
Basic ACL (default)
Access Control List (ACL) defines users’ access rights. There are four user types out of the box for CoVi. These are:
- Admin: Usually someone from the Risk and Compliance team.
This user type has full access to update Configs, Add/Edit/Delete any data in CORE, update any assessment.
- Owners: The Executive (e.g. COO, CEO) who own and manage risks and controls in the business.
This user type can Add new data, only Edit/Delete data items they own and update assessments for CORE Elements they own.
- Reviewer: Usually direct reports to the executive team (e.g. COO, CEO) who review submissions before Owners sign off.
This user type can only Edit and update assessments for the CORE Elements they are assigned to.
- Manager: the person responsible for day-to-day operations of risks and controls, usually the direct reports of the Exec (e.g. Head of ..)
This user type can only update assessments for CORE Elements they are assigned to.
- Guest: anyone that only needs read-only access to CORE.
The table below summarises the default ACL:
The design principles for CoVi means that be default:
- To promote transparency and avoid silos, “View” is unrestricted for all users; and
- To enforce accountability and ownership, the ability to “Add/Edit/Delete/Assess” is restricted by role.
The Enhanced ACL config allows Admin users to restrict VIEW access or loosen up “Add/Edit/Delete/Assess” access. This is done using three attributes associated with the user:
- the TEAM the users are in (some firms refer to these are Functions);
- the Entity users belong to; OR
- the Business Units users belong to.
In each case, a user can belong to multiple teams, entities and business units.
The Enhanced ACL is set by simply toggling the attributes which should be used to restrict or loose up access.
Based on the table above, the access rights for the three roles are modified as follows:
- Guest: view only access restricted to items (risks, controls etc.) for the entities they belong to.
- Manager: can update assessments for any item (risk, control etc.) that belongs to the team and have unrestricted access to view everything.
- Owner: can add a new item (e.g. a Risk) and assign it to anyone other owner that belongs to their team, edit any item that belongs to the Entity they are part of and have unrestricted access to view everything.
PREREQUISITE: To use the Enhanced ACL, all users will need to have at least one Team, Entity and Business Unit assigned to them.