Purpose - The purpose of this article is to provide additional clarification around IriusRisk Roles, Permission Sets, and Business Units.
Key Terms & Overview -
- Permission Set - Collective set of assigned permissions within IriusRisk. Sets are comprised of Global permissions (permissions affecting the navigation and operation of the UI), Project permissions (permissions affecting access within the projects) and Custom Field Permissions (permissions affecting the custom fields created in the tenant by the customer)
- Roles - Collection of permission sets organization by role or job expectation for end user accessing application to perform assigned tasks within the application
- Business Unit - collection of assigned users used to determine visibility of assigned threat models or projects within IriusRisk.
The relationship between users, roles, permission sets, and business units is demonstrated in the below graphic.
IdP roles are mapped to IriusRisk roles through the SAML configuration (if enabled). If not, they are setup in the application interface. Each user is then assigned a role and a business unit (BU). The role determines the permission sets (Global, Project, & Custom) and then the Business Unit determines the visibility into threat model projects. Users may be assigned multiple roles and business units depending on the need.
The below images displays a user with two assigned business units and several roles assigned to their profile.
Recommended Process - Generally speaking, IriusRisk recommends the following process for the setup and configuration of Users, Permission Sets, Roles, and Business Units.
- In IriusRisk, define the types of roles that will be assigned to end users. Out of the box, IriusRisk comes preconfigured with 14 roles. Selecting each role will reveal the permission sets assigned to this role (Global, Project, & Custom).
- If a preconfigured role or a combination of roles does not meet your immediate needs, additional roles can be created with custom permission sets and then those roles can be assigned to users.
- There are no preconfigured business units in IriusRisk. Business Units should be configured based upon groups that will need to have visibility on select projects. If a business unit has not been assigned, each user will need to be assigned individually to the project for visibility.
- Configure IdP integration to provision user access to IriusRisk using SAML 2.0 authentication. SAML configuration will provide mappings from IdP roles, user groups, and businesses into IriusRisk roles and business units.
- Additional permissions can be added or revoked from within the workflow module where you can apply “Custom” permissions to each role within each workflow state. Navigate to the workflow tab and select a workflow state. Scroll down the bottom of that workflow and select “Custom”. Select “Apply Changes” on the top left and then you will have the ability to apply custom permission to each role at the Project and Custom field levels. Global permissions sets can only be altered in the User & Permissions section inside the control panel.