User roles installed with Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) installs the following roles.

Note: Users with the ITIL role have access to the application and can edit control tests, remediation tasks, and audits.
Table 1. Functional roles
Role Description Contains Roles
GRC Control Test Processor Responsible for ensuring that a control test is executed, run, and managed properly.
  • grc_compliance_reader
  • grc_control_test_owner
GRC Executive Approver Responsible for approving any changes to authority documents, citations, and controls imported from UCF Authority Documents. Users with this role have access to their list of UCF document requests in the My Approvals module.
  • grc_compliance_approver
  • approver_user
GRC External Auditor Responsible for reviewing the control tests and the observations generated from them. These users have read-only access to all records involved in an audit and are external to the organization. grc_audit_reviewer
GRC Internal Auditor Responsible for reviewing and auditing control test results, and managing observations for those results. These users have the following access:
  • Read-only access to authority documents, citations, controls, risks, and policies.
  • Read-only access to audit tables.
  • Read-only access to control test instances assigned to an audit.
  • Read-only access to observation instances assigned to them. This user can add a work note.
  • Able to create observations.
  • grc_compliance_reader
  • grc_audit_owner
Table 2. Technical Roles
Role Description Contains roles
grc_audit_definition_admin Can create and edit Audit Definitions. Can read audit records and records associated with an audit.
  • task_editor
  • grc_audit_reader
  • grc_control_test_reader
  • grc_compliance_reader
grc_audit_owner Allows read-only access to audits, observations, remediations, and control tests for an audit assigned that user. Also allows writing and creation of observations, and work notes.
  • grc_control_test_reader
  • grc_audit_reader
grc_audit_reader Allows read-only access to audits, observations, remediations, and related tables. none
grc_audit_reviewer Provides read-only access to audit and associated control test instances assigned to that user. none