These roles provide access to Governance, Risk, and Compliance (GRC) and can perform all
the activities of the roles they contain.
GRC provides four functional roles that describe general compliance
responsibilities in the system. This is a best practice approach to granting auditors, approvers,
and users who manage control tests the technical roles they need to perform their jobs. These
roles can be modified to suit an organization's needs.
roles grant specific capabilities to users in the system and are
combined to create the functional roles.
Note: Users with the ITIL role have access to the
application and can edit control tests, remediation tasks, and audits.
Table 1. Functional roles
|GRC Control Test Processor
||Responsible for ensuring that a control test is executed, run, and managed
|GRC Executive Approver
||Responsible for approving any changes to authority documents, citations, and
controls imported from UCF Authority Documents. Users with this role have access to
their list of UCF document requests in the My Approvals module.
|GRC External Auditor
||Responsible for reviewing the control tests and the observations generated from
them. These users have read-only access to all records involved in an audit and are
external to the organization.
|GRC Internal Auditor
||Responsible for reviewing and auditing control test results, and managing
observations for those results. These users have the following access:
- Read-only access to authority documents, citations, controls, risks, and
- Read-only access to audit tables.
- Read-only access to control test instances assigned to an audit.
- Read-only access to observation instances assigned to them. This user can add
a work note.
- Able to create observations.
Table 2. Technical Roles
||Can create and edit Audit Definitions. Can read audit records and records
associated with an audit.
||Allows read-only access to audits, observations, remediations, and control
tests for an audit assigned that user. Also allows writing and creation of
observations, and work notes.
||Allows read-only access to audits, observations, remediations, and related
||Provides read-only access to audit and associated control test instances
assigned to that user.