This page contains information about the roles and capabilities of each type of user account in Isora GRC.
Ordinary Users
Each person defined to Isora GRC can be associated with one or more units (previously referred to as organizational units or OUs). For each unit a person is involved with, the person has a role within the unit. The following table summarizes the capabilities of each role.
| Role | Capabilities (for a given Organizational Unit) |
|---|---|
| Organizational Unit Head | Can final acknowledge a unit survey; can see all completed organizational assessments (including those of child OUs); can view shared completed vendor assessments from other units; can view, edit risk scores for their unit |
| Assessment Manager | Can launch surveys; can view completed assessments and answer survey questions; can delegate unit questions (and add users via delegation) and assign hosts to users; can view all permissions and assign permissions to other users, can edit sheets; can create, launch and acknowledge app assessments; can create, launch, acknowledge and view vendor assessments; can view shared completed vendor assessments from other units; can create vendor products; can create/edit product deployments for their unit |
| IT Staff | Can view reports and answer survey questions; can assign hosts to users (and add users to Isora GRC via delegation); can edit sheets; can create, edit, launch, acknowledge and view vendor assessments; can view shared completed vendor assessments from other units; can create third-party vendor products; can create/edit product deployments for their unit |
| Vendor Requestor | Can create, edit, launch, acknowledge and view their own third-party vendor product assessments for their unit only; can view shared completed third-party vendor product assessments from other units; can create third-party vendor products |
| Risk Assessor | Can view, create and edit risk register entries for their unit |
| Risk Auditor | Can view risk register entries for their unit |
| User | Can view and create exception requests for their unit, for hosts that they are Owners, Users and/or IT Contacts for |
| Auditor | Has read-only access to everything for the given unit (NOTE: The auditor role is under development) |
| (no role assigned) | Can do categorization of hosts that belong to them; can answer any unit questions that have been delegated to them; can create sheets and edit sheets that belong to them (irrespective of organizational unit); can answer questions about applications which they own; can view completed shared vendor assessments |
| Guest (this is not a role in Isora GRC, but a person who is accessing a third-party vendor product survey via shared link) | Can view and answer questions on a third-party vendor product survey; can acknowledge a third-party vendor product survey |
Superusers
In addition to ordinary persons, Isora GRC must have at least one administrative person defined. This is indicated by the “superuser” attribute. Initially, Isora GRC is set up with at least one superuser defined. A superuser can do everything encompassed by all of the ordinary person roles, and much more. Any superuser can do everything in Isora GRC. The following table summarizes what superusers can do (in addition to all the things ordinary users can do):
| Designation | Capabilities (not limited by Organizational Unit) |
|---|---|
| superuser | Can view, edit, add or remove people, units and permissions, sheets and hosts; can view, edit, add or remove all question objects, can create, edit or remove assessments; can edit or remove vendor product entries; can create, edit or remove vendor product statuses (via API), can perform all other actions on Isora GRC, including assigning the superuser attribute to other user accounts |
Although it is possible to assign individual roles to a superuser, it’s not required.
Service Accounts
Any user that you create in Isora GRC may be designated as a “service account” using a checkbox. A service account should be used for any non-person entity that needs to access Isora GRC. Like an ordinary person, a service account may have roles in units assigned to it. No remote authorization checks are performed with service accounts. Although it is possible to authenticate a service account locally, by specifying a local password, or to authenticate it remotely via LDAP, it is not typical for a service account to log into the Isora GRC web interface. Service accounts should access Isora GRC through the API using a token for authorization. You can learn more about the API in the API Guide .