- DATE:
- AUTHOR:
- The folks at Scrut
Role Based Access Control (RBAC)
What is RBAC?
RBAC uses the roles assigned to the user, such as admin, contributor, auditor, etc., to help organizations define and limit access to the Scrut platform. This feature is a great addition for organizations aiming to improve security in terms of compliance, confidentiality, privacy, and access management of resources as well as sensitive data.
Access Controls & Use Cases
In essence, there are two types of access control;
a) Module-based access control - In this access control, module and sub-module level access can be given. For example, User A, who is a contributor, can be given access to only the policy module or any other module for that matter.
b) Data-based access control - In this access control, data access can be given based on departments and frameworks. For example,
User A, who is a contributor from the HR department, can be given access to only HR policies and evidence in Scrut.
User B who is an auditor can be given access to only ISO 27001 framework. Hence, they would be able to only view the artifacts of ISO 27001.
What are the different roles?
1) Admin
Admin role will have access to all modules and data by default. Organizations can not change admin permission since the platform does not allow that.
2) Contributor
Contributor roles can be given access based on modules and departments, as demonstrated here.
3) Auditor
The auditor role can be given access based on modules and frameworks, as demonstrated here.
4) Employees
Employees will have access to the training page only. They can not access any other module on the platform for security purposes.
How it works?
1) Create a new user by navigating through "Settings" → "Manage Users" → "Add User"
2) Now, within the role dropdown, select 'admin/contributor/auditor' and opt for the access details which you would like to provide to the user.
3) Click on 'save' to provide access.
If any specific departments are selected in the policy or evidence task, then the user can only see the policy or evidence task that is linked to the mentioned departments. If there is no data with the linked department, then no data will be visible to the user.
If you have any questions or issues, please reach out to your assigned customer relationship manager. They'll be happy to assist you!