Database Reference
In-Depth Information
In order to define access to data, GRC uses the following components:
• A
primary data role
defines a set of data that satisfies (in most cases)
three conditions:
° The data belongs to a specified module
° The data exists in one or more specified states, such as
New
,
In
Edit
, or
Awaiting Approval
° The data is subject to a particular action, for example,
Create
or
Delete
• A primary data role that supports assessment activities additionally grants
access only to data associated with a specified value for a seeded perspective
called
Activity Type
.
• A
composite data role
is a set of primary data roles. It defines the data to
which a user can apply the functionality granted in a job duty role. Users
may create
custom perspective data roles
, each of which combines a
composite data role with a filter that allows access only to data associated
with a specified perspective value.
In order to combine functionality and data access, GRC uses the following
components:
• A
job role
comprises a job duty role and a composite data role (or custom
perspective data role)
• Each eGRCM user is assigned one or more job roles
The following figure illustrates the relationships among these components:
Security Component Hierarchy
Duty Role
Privilege
Job Duty Role
The collection of
functional privileges
need to perform a
certain duties within
a Job.
The functionality and
tasks within EGRCM
that are assigned to
this duty role
The duties of a person
assigned to this Job
role performs
User
Job Role
Is assigned Job
Roles as their
security access
to EGRCM
The functional access
and the data access
for this Job.
Primary Data Role
Composite
Data Role
Criteria for which data
is accessible based
on module, state and
state action
Which data a user in
this Job Role has
access to.
Search WWH ::
Custom Search