Creating Groups and Adjusting Permissions
How groups and their permissions are defined and tested
Once your matrix is completed is time to:
- Create organizational groups (IT, Finance, GRC, Etc)
- Create a dummy account that will be used to test permissions
- Create access groups (those used to limit where users can click)
Go to "System" > "Settings" > "Groups" and click on "Actions" > "Add". For each "Organizational" group you have defined in your matrix (IT, Finance, Etc) complete and save the form. Remember, these groups won't let users access anywhere as, by default groups have all permissions denied.
You will need to test your permissions, and for that, you need a dummy user account to test your groups by login into eramba and checking permissions are correct. Go to "System" > "Settings" > "User Management", then click "Actions" > "Add". The form to create users is pretty simple but keep an eye on the following fields.
Each user account in eramba needs a unique email, without them, eramba can not send notifications or in the case of accounts using local authentication, send recovery password emails.
Switch this toggle as you want this account to authenticate using the eramba password management system. Accounts that will authenticate outside eramba (LDAP, SAML) require to have this toggle off.
Select only "Main" as the other two portals on the dropdown are not affected by "Access Groups". Those two portals (Online Assessments and Account Reviews) have permissions built-in on their own, and those can not be changed. So if you are planning on creating users that will use these portals, you can assign a single group without permission, for example, create a group called "No Permissions" (you need to create it, remember by default, it will have no permissions).
Here is where you will select the groups you want to test. Imagine "Dummy" works for IT. Then, you need to assign to this account all the groups under the column "IT" in your Access Matrix. You need to repeat this step for every column.
Leave this "Active" until you have completed all your testing, then, you will set it to "Inactive" so the account can no longer authenticate.
Unless you are testing REST APIs, this toggle can remain off.
Now look at every column on your matrix, and for every row decide if:
- You can use an existing eramba group (most chances are you can)
- You need to create your group and assign specific permissions
Eramba has read-only groups for the most popular modules (Internal Controls, Policies, Risk, Etc) that, combined with the group "Comments & Attachments", will let users across your organization receive notifications and provide you with feedback. This means that following the example on the matrix we built before any user in the IT department should be assigned:
- IT Group (created above)
- System Group - View Policies and Reviews
- System Group - View All Types of Risks and their Reviews
- System Group - View Internal Controls and Audits, Maintenance and Issues
- Comments and Attachments
As you can see, you should be able to leverage default groups in eramba in most cases. If you need to create a specific group for specific permission, create the group as done before and then go to "System" > "Settings" > "Authorization". Select the group you just created, and then select the module you want to allow access to.
Then all actions for that module will be displayed, you can choose which ones you want to enable (remember, by default, they will all be disabled if the group is new)
Repeat this process for every module until you have configured the group as you wish. Since, at this stage, you might not know what eramba does, it might be difficult to tell what permissions to grant. Always assign the least amount of permissions until the need arrives (when you start to use the system).
After you create (or re-used default groups that come with eramba) the groups you need for every column, you need to test these groups to do what you want. Go back to User Management, edit the dummy account and assign the groups for the column you have worked on. Save and log out. Then log in using the dummy login and credentials and check if you have the right permissions.
Because of "Visuasalitions", the dummy account might not see any data (as it has nothing attached to it). You might want to create an item on the module you are testing and assign it to dummy to double check permissions with data.
Repeat this process for every column on your Access Matrix.
Once the testing has been completed you can edit dummy account and set the "Status" to "Inactive".
- Episode 1Introduction to this Course1 min left
- Episode 2Basic Concepts5 mins left
- Episode 3Defining an Access Matrix5 mins left
- Episode 4Creating Groups and Adjusting Permissions8 mins left
- Episode 5Configuring Authentication1 min left
- Episode 6Configuring LDAP Connectors11 mins left
- Episode 7Configuring Google OAuth Connectors1 min left
- Episode 8Configuring SAML Connectors2 mins left
- Episode 9Creating and Deleting Users3 mins left
- Episode 10Implementation Checklist1 min left