3 - Role-based Access Control (RBAC)

3 - Role-based Access Control (RBAC)

Role-based access control in Diri


Diri allows for tailoring accesses based on roles. RBAC is an approach to restricting system access to authorized users.  RBAC mechanisms are defined around roles and privileges.  RBAC makes it easy to assign permissions based on role and is a simple way to limit access to that necessary to perform user assignments. RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions.

RBAC allows for different roles, such as read only roles for auditors and management, and will helps to improve both the integrity and confidentiality of data in Diri.


Key points

  1. Access control settings on objects are accessed via the man and padlock symbol
  2. The "V" sign at the left of a functionality indicates that there are more options to be managed for this specific setting.
  3. Be aware that some priviledges require other privileges to function, such as "Copy" a risk assessment also requires "Create New" privileges to function. 

Accessing the RBAC

The RBAC is only visible to administrators and can be accessed via "Users" in the main menu. Opening the users menu will give access to two tabs, one for administrating users and another for Access control:

The tab for accessing RBAC in the Users menu.


Create your own roles with tailored authorizations.

The downward-pointing V indicates that there are additional settings that you can manage:


Accessing the settings for each role

Settings in the RBAC

There are four basic accesses that a user can have in the RBAC:
  1. Read all - The user has access to read-only access to all objects of the type in the organisation.
  2. Edit all - The user has all priviledges for all objects of the type in the organisation. He can read, edit, create and delete.
  3. Create new - The user can create new objects of the type and edit them. A user that creates an object also has all the default rights to it regardsless of role.
  4. Delete all - The user has access to delete all of the objects of the type in the organisation.
Some of the object types also have specific settings which are described in the text below.

Settings for Risk Assessments

You can choose settings for all the risk assessment types in Diri.  Expanding the menu provides access to specific authorizations for the object:

Access control options for the risk assessments are identical for IT systems, Organizational, and Problem risk assessments.

Options that are controlled via RBAC:
  1. The "Copy risk assessment" option.
  2. Private risk assessments become visible in the risk assessments overview and the option "Request access to private" determines who can ask for access.
  3. Signing treatment plans should be reserved for those with decision-making authority, such as risk owners, system owners, and other leaders.

Object ownership and access control for Risk assessments

Furthermore, ownership of risk assessments is set using RBAC and managed on the object level.  An object in Diri is a risk assessment, survey, or treatment. The access rights of the risk assessments can be controlled directly in Diri through the option in the upper right corner of the risk assessment dashboard:

Access control on a risk assessment object with read/write per user.

The above picture shows generic sharing settings for risk assessments with possibilities for sharing internally in the organisation or publicly. Giving access to the "Entire organization" in this context means to make the risk assessment visible to every user on your organizational level and below in the organizational hierarchy. "Public outside the organization" means to make it visible to every registered Diri user in the instance.

"Share with email" means that you give access to the risk assessment to specific users in Diri. Adding a user to your risk asessment provides read and write options, if none of these boxes are checked the access control will default to the users original role in Diri.

Access control options for the "Shared with" functionality for a risk assessment

Settings for Users

"Users" in this context refers to the option in the main menu and the associated options. The available options refer to the tabs for access to ther Users in Diri and the Access Control system.

Access control options for users

Settings for Treatments

Treatments exist as their own independent objects in Diri. This option refers to treatments available in the main menu which lists the treatments (risk controls) available in the organisation.

Access control settings for treatments

"Treatment without owners" controls access to proposed treatments without owners.

Object ownership and access control for Treatments

"Edit owner and sharing" refers to the access control on the treatment object, accessing a treatment in the Treatment list will now display the following:

Option for accessing the Access control settings on a treatment

Opening the access control settings will provide the following display:

Access control options for treatments (Risk controls)

Giving access to the "Entire organization" in this context means to make the treatment visible to every user on your organizational level and below in the organizational hierarchy.

"Share with email" means that you give access to the treatment to specific users in Diri. Adding a user to your treatment provides read and write options, if none of these boxes are checked the access control will default to the users original role in Diri.

Sharing treatments with other Diri users

Ticking off the options for "Make available to the public" will open a second row which allows you to share the assessment "publicly", meaning that everyone with a user in the Diri application will be able to see the system.

Making a treatment "Public outside of organization" means that all users in the Diri instance can see it.

Settings for Tasks

"Tasks" refers to the option in the main menu. There are no specific settings for tasks beyond classic read, edit, create, and delete all:

Access control settings for tasks.

Settings for Organisation

"Organisation" refers to the option in the main menu for the organisational hierarchy. This setting has some additional options for access control:

Options for controlling access in organisation


Surveys

"Surveys" refers to the option in the main menu. This setting has two specific options for access control:

Options for controlling access to surveys

Object ownership and access control for Surveys

The two extra options is for editing ownership and sharing surveys with others and answering surveys. The access control of specific survey objects is managed through the main functionality:


Access control configuration of surveys

"Add coowner"
means that you give access to the survey to specific users in Diri with editing rights.

Ticking off the Sharing option as:
  1. Publc allows you to share the assessment "publicly", meaning that everyone with a user in the Diri application will be able to see the system.
  2. Organisation makes it visible for your organisation and under.
Access dictates which part of the organisation should see the survey.

Settings

Settings refers to the option in the main menu for the settings. This setting allows the user to read and edit the options in the main settings for your organisation:

Access control options for the Diri main Settings and configuration.

Predefined and inherited Roles in Diri

Administrator

The administrator has all the rights in Diri by default. Meaning that he has all the boxes checked and access to all the funcitonality by default.

Default user

The User role has the following privileges:

  • Risk assessment:
    • IT-system: create
    • Problem: create
  • Treatment:
    • Read
    • Create
  • Tasks:
    • Read
    • Edit
    • Create
    • Delete
  • Survey:
    • Read
    • Create
    • Answer survey
  • Organisation:
    • Read
  • Settings:
    • Read

Read and Sign (Decision-maker)

The read and sign role is by default in Diri and designed for the risk owners, such as system responsibles, CIOs, and other decision-makers who do not conduct risk assessments, but are responsible for the risks. These roles have a read function and can complete the risk acceptance step by signing the risk treatment plan and accepting the residual risk.

  • Risk assessment:
    • IT-system: Read
      • Treatment plan   
        • Show treatment plan
        • Sign treatment plan   
    • Overall: Read
      • Treatment plan   
        • Show treatment plan
        • Sign treatment plan   
    • Problem: Read
      • Treatment plan   
        • Show treatment plan
        • Sign treatment plan
  • Treatment:
    • Read
  • Tasks:
    • Read
  • Survey:
    • Read
  • Organisation:
    • Read
  • Settings:
    • Read






    • Related Articles

    • 2 - Create your organisation

      What is the organisation in Diri? The Organisation is an available option for administrators to build your desired organisational structure in Diri. The organisation determines the hierarchy in Diri for placing users and objects. It, therefore, forms ...
    • 7 - Task and Treatment reminders

      Follow up of tasks, treatments, and expire dates Diri sends reminders on risk assigned treatments, treatment plans, and risk assessment expiration. The email is sent from noreply@diri.no. The settings are available in "My account," be careful to ...
    • 6 - Importing and exporting risk assessment registrations with Excel Spreadsheets

      Why import and export? Many organisations have already mapped their ICT systems portfolio. This overview is often in a spreadsheet format, and Diri includes a spreadsheet import functionality to avoid doing the work twice. Importing through this ...
    • 5 - Settings

      Diri comes with several tailorable variables that you can adapt to fit your own security policies and guidelines. As illustrated below, the Diri settings are currently dived in three main categories: Many organizations already have pre-defined levels ...
    • 0 - Creating and managing my subscription

      All the new subscriptions come with a 30-day free trial period and  You must register invoicing information to activate your free trial. However, Diri AS will not send an invoice or collect any payments if the subscription is cancelled before the ...