GRC functional and technical roles

These roles provide access to Governance, Risk, and Compliance (GRC) and can perform all the activities of the roles they contain.

GRC provides four functional roles that describe general compliance responsibilities in the system. This is a best practice approach to granting auditors, approvers, and users who manage control tests the technical roles they need to perform their jobs. These roles can be modified to suit an organization's needs.

GRC technical roles grant specific capabilities to users in the system and are combined to create the functional roles.
Note: Users with the ITIL role have access to the application and can edit control tests, remediation tasks, and audits.
Figure 1. GRC technical and functional roles
diagram shows breakdown of technical roles in yellow and functional roles in green
Table 1. Functional roles
Role Description Contains Roles
GRC Control Test Processor Responsible for ensuring that a control test is executed, run, and managed properly.
  • grc_compliance_reader
  • grc_control_test_owner
GRC Executive Approver Responsible for approving any changes to authority documents, citations, and controls imported from UCF Authority Documents. Users with this role have access to their list of UCF document requests in the My Approvals module.
  • grc_compliance_approver
  • approver_user
GRC External Auditor Responsible for reviewing the control tests and the observations generated from them. These users have read-only access to all records involved in an audit and are external to the organization. grc_audit_reviewer
GRC Internal Auditor Responsible for reviewing and auditing control test results, and managing observations for those results. These users have the following access:
  • Read-only access to authority documents, citations, controls, risks, and policies.
  • Read-only access to audit tables.
  • Read-only access to control test instances assigned to an audit.
  • Read-only access to observation instances assigned to them. This user can add a work note.
  • Able to create observations.
  • grc_compliance_reader
  • grc_audit_owner
Table 2. Technical Roles
Role Description Contains roles
grc_audit_definition_admin Can create and edit Audit Definitions. Can read audit records and records associated with an audit.
  • task_editor
  • grc_audit_reader
  • grc_control_test_reader
  • grc_compliance_reader
grc_audit_owner Allows read-only access to audits, observations, remediations, and control tests for an audit assigned that user. Also allows writing and creation of observations, and work notes.
  • grc_control_test_reader
  • grc_audit_reader
grc_audit_reader Allows read-only access to audits, observations, remediations, and related tables. none
grc_audit_reviewer Provides read-only access to audit and associated control test instances assigned to that user. none