Skip to content
English
Go to www.northgrc.com
  • There are no suggestions because the search field is empty.

Roles, access rights and teams in NorthGRC

Creating users

New users are created in Settings > Users > Add user by typing in the users name, email address and giving them a user login. 


When a user is created she will receive a login by email. Logged in, she will be able to work with the tasks, documents and controls assigned to her and/or her team(s). This means that not all users have access to the same content or pages in NorthGRC. It is not necessary to grant manager roles in order for a user to access her own tasks, controls and documents.

 

 

Teams

NorthGRC comes with a number of predefined teams corresponding to the groups and individuals in an organisation managing information security and GDPR compliance. These teams can be renamed, deleted and edited to meet the needs of your organisation and new teams can be created. This is done in Settings > Teams. The teams are assigned a number of tasks, documents and controls that the team is either responsible, accountable owner, informed or consulted on (see previous chapter). When a user is assigned a team, she automatically inherits the access rights and responsibilities of the team.

Standard teams and examples of their responsibilities

IT department

Responsible for the technical IT setup of the organisation. Examples: Rules concerning the technical aspects of IT security. Business continuity plans and disaster recovery procedures.

Business Continuity Team

Responsible for business continuity in the event of system breakdowns, data breaches etc. Examples: Rules for business continuity, business continuity and data breach response plans.

Information Security Manager

Responsible for information security and ISO 2700X compliance in the organisation. Examples: Description of policies and rules governing information security, Statement of Applicability, information security awareness.

DPO

Responsible for GDPR compliance in the organisation. Examples: Rules and policies for protecting personal data, data breach response plan, records of processing activities.

Auditor

Responsible for internal audit in the organisation. Examples: Planning and reporting on internal audit.

Information Security Forum

The Information Security Forum is often where the overall planning of the information security and data protection work takes place. The Information Security Forum are accountable for the majority of tasks in the ISMS and will often have to approve of any document regarding information security and data protection. In many organisations the Information Security Forum ideally consists of 

  • The Information Security Manager/Coordinator
  • The head IT or operations
  • A representative from top management such as CEO, CFO or COO
  • One or more department managers 

System Owners

System owners do not – per default – have tasks and documents in NorthGRC. 

Employees

The team “Employees” is used for connection to all employees in the organisation. This is useful when the whole company needs to sign for reading awareness material etc.

 

Roles

Manager roles grant a user access to an area in NorthGRC. When starting NorthGRC, the first user logging in will receive all manager roles and will then be able to create and assign roles to other users.

We have 9 role areas:

Compliance, User(admin), Vendor, Task, Document, Asset, Risk, Organisation and Incident.

For these areas we have 3 possible roles for each.

Manager-role

Gives access to everything within the area, so it can add, edit and delete everything. A Task Manager can for example register new tasks, see all existing tasks, edit these or delete them.

Creator-role

Gives access to create new entities, so for example to create new tasks in the Task module, or to create / upload new documents in the library. You are automatically awarded with ownership of the documents created.
It does not give access to view other teams/users entities (only for Manager-role or Auditor-role).

Auditor-role

Gives access to see everything in a specific area, but can’t create, edit or delete anything.

Roles to users directly

Roles are granted in Settings > Users by clicking in the Select user roles field to the right of a user’s name and selecting the role(s) necessary. If the user is logged in when the roles are added, she will have to log out and in again for the roles to take effect.

Roles 

Settings -> Security -> Roles

Here you can see what teams and users has which assigned roles, so both Manager, Creator and Auditor.

You are able to assign roles to teams or users directly in this view, by clicking on the small “+” located next to the role in the matrix.

Roles directly to teams

If you go to Security -> Teams, you can see all Teams available. 

To the right, you’re able to add specific roles to the team, which means that all users or AD groups added to this team, automatically will get assigned the roles chosen.

Examples of Manager-roles rights

Task Manager

Has access to the planning pages Planning, Gantt and Task List

Can view and take ownership of any:

  • Task
  • Phase (from Settings)
  • Link (from Settings)

Document Manager

Has access to the Library 

Can view and take ownership of any:

  • Document
  • Data list (from Settings)
  • Template (from Settings)

Compliance Manager

Has access to the Compliance page 

Can view and take ownership of any:

  • Control
  • Data list (from Settings)
  • Template (from Settings)

User Manager (admin role)

Can view, edit, create and delete any:

  • User (from Settings)
  • Team (from Settings)

Can view the logs

Can reset NorthGRC and start over with default settings.

Vendor Manager

Has access to the Vendor Page

Can view, create and take ownership of any:

  • Vendor
  • Assessment

Can plan vendor assessments and assign these internally or externally.

Incident  Manager

Has access to the Incident Page

Can view, create and take ownership of any:

  • Incident

Can manage Incident Templates.

Can move incidents through phases and assign any user.

Organisation  Manager

Has access to the Organisation Page

Can view, create and take ownership of any:

  • Organisation.

Can create new suborganisations or new separate business units and register departments under these. Used to allocate assets into correct organisation for overview of which assets is assigned where.

Asset  Manager

Has access to the Risk Page

Can view, create and take ownership of any:

  • Assets and the relationship between

Used for creating / importing assets and assigning correct users to these.

Risk  Manager

Has access to the Risk Page

Can view, create and take ownership of any:

  • Risk analysis/evaluation/treatment

Plans risk analysis on assets in Risk Analysis page.

Access to a task, document or control

Access to specific tasks, documents and controls are per default granted to one or more teams (see next chapter) . This can be changed by clicking Edit and removing or adding teams or users to the task, document or control. 

TIP! Use teams instead of individual users. When a user changes her job, it will be easy for you to add another user to the team instead of having to change every single task, document and control that she is in any way involved in.

 

 

Access rights to a task

  • Responsible: The user in charge of carrying out the task. Can change a task’s status, comment on it and create links.
  • Accountable: Can view, edit and delete a task.

Access rights to a document

  • Owner: Can view the document and all its parent folders. Can edit anything on a document and request an approval of it.
  • Responsible: Can view the document and all its parent folders. Can edit anything on a document EXCEPT access rights. In special cases the responsible users are NOT allowed to edit. This is when the checkmark “Responsible users are NOT able to edit” is checked (open the document in edit mode to find it). This is useful when the document contains a form or questions that you want the responsible user to fill out, but you do not want her to be able to change the form. The responsible user can also request an approval of the document.
  • Consulted: Can view the document - both draft and versioned documents - and all its parent folders.
  • Informed: Can view the document and all its parent folders when the document has been approved. 

Access rights to a folder

  • Owner: Can rename, move and delete the folder.

Access rights to a control

  • Owner: Can view the control and all the requirements to which it is linked. Can edit anything on a control.
  • Responsible: Can view the control and all the requirements to which it is linked Can edit anything on a control EXCEPT access rights.
  • Informed: Can view the control and all the requirements to which it is linked.

Access rights to a Vendor

  • Owner: Can view the Vendor and all everything it’s linked up. Can edit and delete anything on a Vendor.
  • Responsible: Can view the Vendor and all everything it’s linked up. Can edit and anything on a Vendor.
  • Informed: Can view the Vendor and all everything it’s linked up

Access rights to an Asset

  • Owner: view, edit and delete asset, create and edit risk analysis, by default assigned to Impact assessment, evaluate, treat, reassess, close analysis.
  • Responsible: view and  edit asset EXCEPT access rights, create and edit risk analysis, by default assigned to Probability assessment, evaluate, treat, reassess, close analysis.
  • Informed: view asset, view risk analysis