Reference: Isora GRC Comprehensive Capabilities & Permissions

10 min read

In Reference: Roles and Capabilities the various types of user accounts are discussed, along with an overview of their various capabilities. In this document, we will delve into greater detail about the capabilities of different user types and roles, with respect to different functional aspects of Isora GRC.

💡
Remember: All roles are on a per-unit basis. An individual user may have roles in multiple units, or multiple roles within the same unit. A superuser may also have roles, but their capabilities won’t be limited by their assigned roles.
💡
Related API calls are also provided in the tables below; GET, POST, PATCH, PUT and DELETE are common HTTP methods used to interact with resources:
  • GET: Retrieves data from the server. It’s used to fetch information without making any changes.
  • POST: Submits new data to the server, often used to create new records or resources.
  • PATCH/PUT: Updates or modifies an existing resource partially (e.g., changing just one field).
  • DELETE: Removes an existing resource from the server.

For more information about how to interact with Isora GRC using its API, check out

Third-Party Vendor Product Capabilities

Inventory and Assessments

Vendors

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (GET)AllAllAllAllAllAll - List view but not detailAll - List view but not detailAll - List view but not detail
Create (POST)YesYesYesYesYesNoNoNo
Modify (PATCH)AllAllAllAllAllNoNoNo
Remove (DELETE)AllNoNoNoNoNoNoNo

Products

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (GET)AllAllAllAllAllAll- List view but not detailAll- List view but not detailAll- List view but not detail
Create (POST)YesYesYesYesYesNoNoNo
Modify (PATCH)AllAll^1All^1All^1All^1NoNoNo
Remove (DELETE)AllNoNoNoNoNoNoNo

Product Documents

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (GET)AllAllAllAllAllNoNoNo
Create (POST to documents + PATCH product)AllAllAllAllAllNoNoNo
Remove (DELETE)AllAllAllAllAllNoNoNo

Product Deployments

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (GET)AllMy unitMy unitMy unit- only from New Assessment Intake stepMy unitAll- List view but not detailAll- List view but not detailAll- List view but not detail
Modify (PATCH)AllMy unitMy unitMy unit^1My unitNoNoNo
Remove (DELETE)AllMy unitMy unitMy unitMy unitNoNoNo

Third-Party Vendor Assessments

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View Completed (“reports”) (GET)AllAll shared^2 + My unit privateAll shared^2 + My unit privateAll shared^2 + My unit privateAll shared^2 + My unit privateAll shared^2 + My unit privateAll shared^2All shared^2
View (GET) ACTIVEAllMy unitMy unitMy unitMy unitNoMy unitNo
Create (POST)AllMy unitMy unitMy unitNoNoNoNo
Edit Active or Published (PATCH)All active / publishedMy unit active / My unit published- can launchMy unit active / My unit published- can launchMy unit active / My unit published- can launchNoNoNoNo
Remove (DELETE)All^3My unit activeMy unit activeMy unit activeMy unit activeNoNoNo

^1Some functionality is currently broken in the GUI and is in the process of being fixed.

^2Some reports are viewable in the list but result in a File Not Found error when you attempt to view them. This is a known issue in the process of being fixed.

^3Only active or published can be removed from the Assessments page, but it is possible for superusers to remove completed assessments using the API or from the Assessments area of the Settings page.

Application Capabilities

Inventory and Assessments

Applications

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorApplication Delegate (named owner)(No role)
View (GET)AllMy unitMy unitNoMy unitNoNo^2MineNo
Create (POST)Yes (any unit)Yes (any unit)^1Yes (any unit)^1Yes (any unit)^1Yes (any unit)^1Yes (any unit)^1Yes (any unit)^1Yes (any unit)^1Yes (any unit)^1
Modify (PATCH)AllMy unitMy unitNoMy unitNoNoMineMy unit
Remove (DELETE)AllMy unitMy unitNoMy unitNoNoMineNo

Application Documents

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorApplication Delegate (named owner)
View (GET)AllMy unitMy unitNoMy unitNoNo^2Mine
Create (POST to documents + PATCH application)AllMy unitMy unitNoMy unitNoNoMine
Remove (DELETE)AllMy unitMy unitNoMy unitNoNoMine

Application Assessments

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorApplication Delegate (named owner)
View (GET)AllMy unitMy unitNoMy unitNoNo^2Mine active
Create (POST)YesMy unitNoNoNoNoNoNo
Launch (PATCH)AllMy unit^3NoNoNoNoNoNo
Enrich (PATCH)AllMy unitMy unitNoMy unit^4NoNoMine
Answer/Lock/Unlock Questions (PATCH)AllMy unitMy unitNoNoNoNoMine
Acknowledge questions / Final acknowledge (PATCH)AllMy unitNoNoNoNoNoNo
Remove (DELETE)AllMy unit^5NoNoNoNoNoNo

^1This is a known issue which will be corrected soon. Assessment Managers and IT Staff should be able to create applications that are assigned to their units only.

^2Auditors should have view-only access to applications and application assessments for their units; this is a known issue under development.

^3Assessment managers can currently only launch at creation time; they should also be able to launch published application assessments (this is a known issue under development).

^4This is probably a bug.

^5They can do it from the API but not in the GUI.

Unit-Related Capabilities

Settings

Units

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (including permissions) (GET)AllAllAllAllAllAllAllAll
Create (POST)YesNoNoNoNoNoNoNo
Edit Unit Details (PUT)AllNoNoNoNoNoNoNo
Add / Remove Permissions (PUT)AllMy unitNoNoNoNoNoNo
Remove (DELETE)AllNoNoNoNoNoNoNo

People-Related Capabilities

Settings

People

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (including permissions) (GET)AllAllAllAllAllAllAllAll
Create (POST)YesNo*NoNoNoNoNoNo
Edit (PUT)All users all fieldsAll - Enable New UI field/ Add permissions to my unit; Self- Password/ Enable New UI fieldsSelf- Password/ Enable New UI fieldsSelf- Password/ Enable New UI fieldsSelf- Password/ Enable New UI fieldsSelf- Password/ Enable New UI fieldsSelf- Password/ Enable New UI fieldsSelf- Password/ Enable New UI fields
Remove (DELETE)AllNoNoNoNoNoNoNo

*Except via LDAP add user by delegation.

Locations-Related Capabilities

Settings

Locations

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditor(No role)
View (including permissions) (GET)AllAll Non-confidentialAll Non-confidentialAll Non-confidentialAll Non-confidentialAll Non-confidentialAll Non-confidentialAll Non-confidential
Create (POST)YesNoNoNoNoNoNoNo
Edit (PUT)AllNoNoNoNoNoNoNo
Remove (DELETE)AllNoNoNoNoNoNoNo

Unit Assessment Capabilities

Unit Assessments

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorAsset DelegateQuestion Delegate(No role)
View Active and Published (GET)AllMy unitMy unitNoMy unitNoMy unitDelegated ACTIVE^1Delegated ACTIVENo
View Completed (reports) (GET)AllMy unitMy unitNoMy unitNoMy unitNoNoNo
Create (POST)Yes - any unit(s)NoNoNoNoNoNoNoNoNo
Launch (PATCH)All editableMy unitNoNoNoNoNoNoNoNo
Update Question Responses (PUT)AllMy unitMy unitNoNo- but can see them and comment for my unitNoNo- but can see them and comment for my unitNoYes- delegated to meNo
Delegate Question Category (POST)AllMy unitNoNoNoNoNoNoNoNo
Enrich (POST)AllMy unitMy unitNoMy unit^2NoNoYes- my assetsNoNo
Ack / Unack Survey Questions (PATCH)AllMy unitNoNoNoNoNoNoNoNo
Ack / Unack Asset Enrichments (PATCH)AllMy unitNoNoNoNoNoNoNoNo
Pre-final Ack / Unack Survey (PATCH)AllMy unitNoNoNoNoNoNoNoNo
Final Ack (PATCH)AllNoNoNoMy unitNoNoNoNoNo
Update Question Snapshots (PATCH)All if applicableNoNoNoNoNoNoNoNoNo
Remove Published / Active (DELETE)AllNoNoNoNoNoNoNoNoNo
Remove Completed (Reports) (DELETE)All^3NoNoNoNoNoNoNoNoNo

^1There is a known issue with which surveys and which parts of the surveys asset delegates currently can see.

^2This might be a bug.

^3Superusers can do this through the API only, not through the GUI.

Asset Inventory Capabilities

💡
Every sheet has exactly one owning unit. It is also possible for individual people to be named as a sheet owner. Additionally, both people and units can be asset delegates. An asset delegate is a person or unit named as an Owner, IT Contact or User of a specific asset. In general, assets should reside on the sheets belonging to the units that are responsible for those assets. Keep in mind that for the purposes of assessment, it is the SHEET that determines where an asset gets assessed. When a unit is assessed with asset enrichment included, all assets on sheets belonging to that unit will be included in the assessment for that unit, regardless of whether other units may be named as an asset delegate.

Assets

Assuming the unit or individual owns the sheet.

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorSheet Owner (no role)
View (GET)All assets on all sheets belonging to all unitsMy unitMy unitNoMy unitNoMy unitMy sheet
Create (POST)YesMy unitMy unitNoMy unitNoNoMy sheet
Edit Asset (PATCH)AllMy unitMy unitNoMy unitNoNoMy sheet
Remove (DEL)AllMy unit1^11My unit1^11NoMy unit1^11NoNoMy sheet

Assets

Assuming the unit or individual is a delegate for the asset but not the sheet.

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorAsset Owner/User/IT Contact (no role)
View (GET)AllYes - my unit (they won’t see other assets on the sheet)Yes - my unit (they won’t see other assets on the sheet)NoYes - my unit (they won’t see other assets on the sheet)NoNo^2My assets (they won’t see other assets on the sheet)
Create (POST)YesNoNoNoNoNoNoNo
Edit (PATCH)AllNoNoNoNoNoNoNo
Remove (DEL)AllNoNoNoNoNoNoNo

Sheets

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorSheet Owner (no role)
View Sheets (GET)AllMy unit owns the sheet or it has an asset on it belonging to my unit.My unit owns the sheet or it has an asset on it belonging to my unit.NoMy unit owns the sheet or it has an asset on it belonging to my unit.NoNoMy sheets
Create Sheet (POST)Yes- for all unitsYes- for all unitsYes- for all unitsYes- for all unitsYes- for all unitsYes- for all unitsYes- for all unitsYes- for all units
Modify Sheet (PUT)AllMy unitMy unitNoMy unitMy unitMy unitMy sheet
Remove Sheet (DEL)AllMy unitMy unitNoMy unitMy unitMy unitMy sheet

NOTE: Asset capabilities are under review and changes are likely coming soon.

^1They can remove individual assets from the sheet or delete all assets on the sheet by removing the sheet itself.

^2There is a known issue where Auditors can see the sheet but not the asset(s).

Compliance-Related Capabilities

Non-superusers can only link exception requests to assets on sheets belonging to their unit or applications belonging to their unit.

Exception Requests

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorRisk AssessorRisk Auditor
View (GET)AllMy unitMy unitNo1^11My unitNo1^11NoNoNo
Create (POST)Yes - all unitsMy unitMy unitNoMy unitNoNoNoNo
Update Request (if editable) (PUT)AllMy unitMy unitNoMy unitNoNoNoNo
Edit Status (PUT)AllNoNoNoNoNoNoNoNo
Remove (DEL)AllMy unit2^22My unit2^22NoMy unit2^22NoNoNoNo

Risk Scores

SuperuserAssessment ManagerIT StaffVendor RequesterUnit HeadUserAuditorRisk AssessorRisk Auditor
View (GET)AllNoNoNoMy unitNoNoMy unitMy unit
Create (POST)Yes- all unitsNoNoNoMy unitNoNoMy unitNo
Edit (PATCH)AllNoNoNoMy unitNoNoMy unitNo
Remove (DEL)AllNoNoNoMy unitNoNoMy unitNo

^1Currently they can see it but they shouldn’t be able to; this is a known issue and will be fixed soon.

^2Probably should not be able to delete them once they are outside of the Requested status.

Related articles
Did this answer your question?