This document applies to IriusRisk versions >= 2.0.0
Access to features and products is controlled through product ownership, permissions, roles, and custom workflow permissions.
The model used by IriusRisk is a Role Based Access Control type 0 without hierarchies and inheritance.
The users are assigned with Roles these roles gather sets of individual permissions that are added one to each other. To access an specific product (i.e.) the user has to have a role that allow the desired access and the product has to be on the same group as the user (or the user to be the owner of the product).
Roles & Permissions
Ultimately permissions control access to features within IriusRisk. Permissions can be grouped together into Roles. IriusRisk includes a default set of roles that can be modified or deleted. Conceptually, permissions are grouped into Product Permissions and Global Permissions. Product Permissions grant or revoke access to features within a given product, for example accepting the risk, updating the product details or answering the questionnaire. Global Permissions grant or revoke access to features not related to specific products, for example adding users, editing templates or managing access controls. In addition to this conceptual difference, Product Permissions can also be overridden using workflow permissions.
Roles and permissions are defined in the Roles tab:
The Global Permission "PRODUCTS_LIST_ALL" grants the user access to all products on the system. Without this permission, the user only has access to products within their own business unit. In addition to this default behaviour, both individual users and business units can be assigned to any product from the Ownership tab on the product details pane.
Product ownership determines whether a given user has access to a product and Product Permissions control which operations the user can perform on the given product. Workflow permissions allow you to set custom permissions based on the workflow state of the product. Custom permissions can be set from the Workflow tab and are defined on each workflow state:
In the example above, the workflow state "started" and "approved" both use the default Product Permissions defined on the Roles tab. The "reviewed" state has a custom set of permissions which override the default permissions when the product moves into this workflow state. An example use case for this could be to allow the development team to answer the questionnaires and update the architecture during one state, but then prevent the team from modifying the architecture when the product has moved into the next state.