Managing Risk Manager roles

Roles determine who can view and act on the objects in Risk Manager. Roles are associated with library objects such as risks, controls, processes and objectives. They represent the permissions needed to view and act on the library objects.

Understanding role permissions

In the Risk Manager app, permissions are associated with roles, which can then be assigned to all users in a group, or individual users. When users are given permission to interact with an object, they are given permission to perform up to four actions on that object:

  • Create
  • Read
  • Update
  • Delete

Depending on your organization's configuration, the roles available in your organization may vary. For help configuring roles in your organization, contact your Diligent representative.

The permissions that can have true or false values associated with roles include:

Permission association Permission
Organization-wide
  • Manage asset types
  • Manage roles - This permission is automatically granted to System Admins with Professional subscriptions.
  • Manage workflows

Note

  • With Manage permission you can create, read, update, and delete permissions. However, as roles cannot be deleted, you can't delete existing roles with the Manage roles permission.

  • Risk Manager currently does not support users with the Contributor subscription type.

Specific to asset type
  • Create risk or control
  • Delete risk or control
  • Read risk or control section based on workflow status (can be configured to include all risks and controls, all sections, and all statuses)
  • Update risk or control section based on workflow status (can be configured to include all risks and controls, all sections, and all statuses)

Interactions between permissions

Certain combinations between permissions are necessary for roles to function properly.

  • If a user is assigned more than one role, they get access to everything that each separate role provides them access to. In other words, if a user is assigned one role that gives them permission to perform an action and another role that lacks the same permission, they will be able to perform that action.
  • If a user has permission to delete an object, they must also have permission to read that object so they can see what they're deleting.
  • It is possible to have permission to create an object but not read it (similar to responding to a survey but being unable to see your responses after submitting).
  • If a user has permission to delete a parent object, they can also delete all the child objects with the parent, even if they don't have permission to delete the child objects on their own.

Managing roles

To get the roles in your organization configured, contact your Diligent representative. A System Admin can then assign the roles to groups and users.

Assigning roles to groups and an individual user

While you can assign roles directly to users, we recommend that you assign roles to groups. You can then add users to these groups and manage their permissions. Later, if you want to change permissions, do one of the following:

  • Change the role's permissions. It applies automatically to all the members of all the groups associated with that role.
  • Add or remove a user from a group, which allows you to change permissions for that user without having to add or remove individual permissions for them.

Users can belong to multiple groups, and groups can be assigned multiple roles. For more information, see Adding and managing groups.

Assigning roles

Assign Risk Manager roles to groups and users in your organization.

  1. Open Launchpad.
  2. Note

    If your company uses more than one instance in Diligent One, make sure the appropriate instance is active.

  3. Select Platform Settings > Users.

    If you do not see Users as an option, the account you used to sign in does not have Admin privileges.

  4. Click the Assets roles tab.
  5. Click Assign. The Assign role panel appears.
  6. In the Role list, select the role you want to assign.
  7. Click Select groups or users and select all the groups and users you want to assign the role to.
  8. Click Assign. The assigned groups and users appear in the Assets roles table under the role you assigned them.

Unassigning roles

You can unassign an individual role or multiple roles permanently, from the Assets roles table.

  • Unassign an individual role On the Assets roles table, select the Delete button next to the user whose role you want to unassign, and then select Unassign in the confirmation dialog that appears.
  • Unassign multiple roles On the Assets roles table, select the checkboxe next to the groups or users you want to unassign, select Unassign: #, and then select Remove in the confirmation message that appears.