Go to Welcome Page

Operating Guide

Version 3.3

What’s New

System Manuals

User Operations

Managing Operations

Outputs and Records

Administration

User Operations

Basics

My Summary

Portal / Mobile Device

Useful

Glossary

Managing Operations

SMCR (Accountability UK)

Compliance

Risk

KRIs

Events

Registers

Contracts

Control Inventory

Document Library

Obligations

Triage PRO

Outputs and Records

Dashboards

Reports Charts Adhoc Stats

Record Management

Alerts

Administration

Configuration & Maintenance

Current Tasks

Security

Monitor

Audit Trail

Current Topic:
Record Security

© 2021 TriLine GRC. All Rights Reserved.

Record Security

Page contents

Overview

Procedures

Overview

Note: Fields configurable label’s may be either disabled or named differently in your system. These labelled fields are shown in (brackets).

A Position’s access to a Records within TriLine GRC is via membership of a Security Groups with the correct access to that Record. A Position must be allocated to one (or more) of these Security Groups to access a record.

Security Groups Record access can either be ‘Edit’ or ‘View’. Otherwise the Security Group, and hence the positions in this Security Group, have ‘No Access’ to the Record. (See About Record Security Rights.)

About Record Security

For existing records, the Security tab is displayed for:

These positions may edit and change the Security Group accesses to these records

Additionally Positions in System Security Groups ‘Create (module)’, Administrators, and that Module’s Administrator System Group, can give initial Record security access during Record creation.

Record Security is assigned, via Security Groups, to the following:

*** Module must be installed.

There is no restriction on viewing Obligation*** records.

Inherited security

Record Security cannot be assigned to Tasks. Security of Tasks is inherited from the owning Record.

Security inheritance for dependent Records
Record Type Security inherited from
Process Control Compliance Process
Risk Review Risk
Risk (Treatments) Risk
(KRI) Task KRI
(Event) Task (Events)
Register Task Registers
Contract Task Contracts
(Control Inventory) Task (Control Inventory)
Document Review Document Library
Document Task Document Library
Triage PRO Task Triage PRO

About Record Security Rights

Security Rights levels for ‘Records’ Security Groups
Security Rights level Permissions
Edit Only give this access to Security Groups that you want to be able to update the Compliance, Risk, KRI, Contract or (Event) Record and all Tasks. This level of access is recommended for Record responsibility Positions, and ‘Escalate To’ Positions who also have Record responsibility.

Positions in Security Groups with ‘Edit’ access to a Record can:

• Open and Edit the details of the Record,
• Create and edit Tasks from the Record Page,
• Print the details of the Record, and
• Delete the Record.

Positions in Security groups with ‘Edit’ access are visible in all assignment drop-down lists for the Record (i.e. ‘Responsible Officer’, ‘Actioned By’, ‘Escalate To’) and can be assigned to any or all of these responsibilities.

Note:

Positions do not need this level of access to perform/complete Tasks (see the Tip below this table).
View Give this access to Security Groups that you want to be able to view—but not edit—the Compliance, Risk, KRI, Contract or (Event) Record and all Tasks. This level of access is recommended for those Security Groups that perform and complete Tasks (i.e. ‘Actioned By’ Positions, and Task ‘Escalate To’ Positions who are not responsible for the parent Record).

Positions in Security groups with ‘View’ access to a Record can:

• Open and view the details of the Record,
• Open and view the Record’s Tasks, and
• Print the details of the Record.

Positions in Security Groups with ‘View’ access are visible in all assignment drop-down lists for the Record (i.e. ‘Responsible Officer’, ‘Actioned By’, ‘Escalate To’) and can be assigned to any or all of these responsibilities.

Note:

‘View’ is the appropriate level of access for Positions to perform/complete Tasks (see the Tip below this table).
Not Used Security Groups with ‘Not Used’ access to a Record cannot see any details of the Record, including in lists, reports, charts and widgets.

Positions in ‘Not Used’ Security Groups are not visible in any assignment drop-down lists for the Record; nor can they be assigned as ‘Actioned By’, ‘Escalate To’ or ‘Responsible Officer’.

Note:
You can assign a Blind Task to a Position in a ‘Not Used’ Security Group and that Position will be able to complete the Task (albeit without referring to the parent Record). See Restricting Record Access for Positions that perform/complete Tasks for more information.
Typical Record Security Rights for Record and Task activities

The table below shows the most appropriate (i.e. minimum) Record Security Rights that you should assign to Positions (within a Security Group) so that they can perform the Record and Task activities as shown.

Note:
Record Security Rights are assigned within each Record, via the ‘Security’ tab. See Apply Record Security for each Security Group for more information.

Minimum Record Security requirements for various Record and Task activities
Activity,
Record or Task 		Minimum Record Security Rights required Record/Task assignment
To manage a Record:
Compliance Process Assign the Position to a Security Group with ‘Edit’ access to the Compliance Process. In the Compliance Process ‘Process Detail’ tab, select the Position in the ‘Responsible Officer’ field.
Risk Assign the Position to a Security Group with ‘Edit’ access to the Risk Record. On the Risk Record’s ‘Risk Details’ tab, move the Position into the ‘Owned By’ field (see item 8 in The Risk Details tab).
KRI Assign the Position to a Security Group with ‘Edit’ access to the KRI. In the KRI ‘Details’ tab, select the Position in the ‘Owner’ field (see item 6 in The KRI Page Details tab).
(Event) Assign the Position to a Security Group with ‘Edit’ access to the Event Record. In the (Event) Record’s ‘Details’ tab, select the Position in the ‘Managed By’ field (see item 14 in Reviewing the (Event) Details).
Register Assign the Position to a Security Group with ‘Edit’ access to the Register Record. In the Register Record’s ‘Details’ tab, select the Position in the ‘Managed By’ field (see item 6 in The Information tab).
Contract Assign the Position to a Security Group with ‘Edit’ access to the Contract. In the Contract ‘Details’ tab, select the Position in the ‘Responsible Office’ field (see item 8 in The Contract Page Details tab).
Control Inventory Assign the Position to a Security Group with ‘Edit’ access to the Control Inventory record. In the Control Inventory ‘Detail’ tab, select the Position in the ‘Owner’ field.
Document Library Assign the Position to a Security Group with ‘Edit’ access to the Document record. In the ‘Document Details’ tab, select the Position in the ‘Owner’ field.
To manage a Task: (not perform/complete a Task—see separate section below)
Process Control Assign the Position to a Security Group with ‘View’ access to the parent Compliance Process. In the Process Control’s ‘Schedule / Custom Fields’ tab, select the Position in the ‘Task Responsibility’ field.
Risk (Treatments) Assign the Position to a Security Group with ‘View’ access to the parent Risk Record. In the Risk (Treatments) ‘Schedule’ tab, select the Position in the ‘Task Responsibility’ field.
Risk Review N/A The Position set as ‘Owned By’ for the Risk is responsible for the Review.
KRI Task N/A The Position set as the KRI ‘Owner’ is responsible for KRI Tasks.
(Event) Task N/A The Position set in the (Event) Record’s ‘Managed By’ field (the (Event) Manager) is responsible for the Task.
Register Task N/A The Position set in the Registers Record’s ‘Managed By’ field (the Register Manager) is responsible for the Task.
Contract Task Assign the Position to a Security Group with ‘View’ access to the parent Risk Record. In the Contract Task’s ‘Schedule’ tab, select the Position in the ‘Task Responsibility’ field.
Control Inventory N/A The Position set as ‘Owner’ for the Control Inventory is responsible for the Task.
Document Library N/A The Position set as ‘Owner’ for the Document is responsible for the Document Review Task.
To perform/complete a Task:
Process Control Assign the Position to a Security Group with ‘View’ access to the parent Compliance Process. In the Process Control’s ‘Schedule / Custom Fields’ tab, select the Position in the ‘Actioned By’ field.
Risk (Treatments) Assign the Position to a Security Group with ‘View’ access to the parent Risk Record. In the Risk (Treatments) ‘Schedule’ tab, select the Position in the ‘Actioned By’ field.
Risk Review (Assessment) Assign the Position to a Security Group with ‘View’ access to the Risk Record. In the Risk Record’s ‘Assessment’, ‘Review Schedule’ tab, select the Position in the ‘Actioned By’ field.
KRI Task Assign the Position to a Security Group with ‘View’ access to the KRI. In the KRI’s ‘Task’ tab, select the Position in the ‘Actioned By’ field.
(Event) Task Assign the Position to a Security Group with ‘View’ access to the (Event) Record. In the (Event) Record’s ‘Task’ tab, select the Task to open it for editing, click the ‘Schedule’ tab and select the Position in the ‘Actioned By’ field.
Register Task Assign the Position to a Security Group with ‘View’ access to the Register Record. In the Register Record’s ‘Task’ tab, select the Task to open it for editing, click the ‘Schedule’ tab and select the Position in the ‘Actioned By’ field.
Contract Task Assign the Position to a Security Group with ‘View’ access to the parent Contract Record. In the Contract Task’s ‘Schedule’ tab, select the Position in the ‘Actioned By’ field.
Control Inventory Task Assign the Position to a Security Group with ‘View’ access to the parent Control Inventory Record. In the Control Inventory Task’s ‘Schedule’ tab, select the Position in the ‘Actioned By’ field.
Document Review Task Assign the Position to a Security Group with ‘View’ access to the parent Document Record. In the Document Task’s tab, select the Position in the Document Review ‘Actioned By’ field.
To act as an Escalation Point for a Task:
Process Control Assign the Position to a Security Group with ‘View’ access to the parent Compliance Process. In the Process Control’s ‘Schedule / Custom Fields’ tab, select the Position in the ‘Escalate To’ field.
Risk (Treatments) Assign the Position to a Security Group with ‘View’ access to the parent Risk Record. In the Risk (Treatments) ‘Schedule’ tab, select the Position in the ‘Escalate To’ field.
Risk Review (Assessment) Assign the Position to a Security Group with ‘View’ access to the Risk Record. In the Risk Record’s ‘Assessment’, ‘Review Schedule’ tab, select the Position in the ‘Escalate To’ field.
KRI Task Assign the Position to a Security Group with ‘View’ access to the KRI. In the KRI’s ‘Task’ tab, select the Position in the ‘Escalate To’ field.
(Event) Task Assign the Position to a Security Group with ‘View’ access to the (Event) Record. In the (Event) Record’s ‘Task’ tab, select the Task to open it for editing, click the ‘Schedule’ tab and select the Position in the ‘Escalate To’ field.
Register Task Assign the Position to a Security Group with ‘View’ access to the Register Record. In the Register Record’s ‘Task’ tab, select the Task to open it for editing, click the ‘Schedule’ tab and select the Position in the ‘Escalate To’ field.
Contract Task Assign the Position to a Security Group with ‘View’ access to the parent Risk Record. In the Contract Task’s ‘Schedule’ tab, select the Position in the ‘Escalate To’ field.
Control Inventory N/A The Position set as ‘Owner’ for the Control Inventory is defaulted to as the Escalation position.
Document Review Task N/A The Position set as ‘Owner’ for the Document is defaulted to as the Escalation position.

Tip: Positions who will perform and complete Tasks only need ‘View’ Record Security Rights to the parent Record (see the table above). Remember the following rule of thumb:

“View to Do”

Conditions where you do not need to set Record Security

A Position can perform and complete a Task without being assigned Security Rights for the parent Record if the Position is:

Restricting Record Access for Positions that perform/complete Tasks

There may be instances where you want to assign a Task to a Position without the Position having access to the parent Record for reasons of confidentiality. You may also want to restrict a Position’s visibility of data to only that in which they have direct involvement. TriLine GRC provides two options that you can use:

Create a Blind Task

You can assign a Blind Task to a Position that does not have ‘View’ or ‘Edit’ Rights to the parent Record. The Position is able to complete the Task, but cannot see any information within the parent Record.

The following Tasks can be set as Blind tasks:

Blind Tasks are the most secure Task in TriLine GRC.

Tip:
If you assign a Blind Task to a Position, make sure you include enough information to complete the Task within the Task itself—the Position must be able to complete the Task without having to refer to information in the parent Record.

See the following sections for more information about Blind Tasks:

Set a Position as ‘See Own Data Only’

The ‘See Own Data Only’ option restricts the information a Position can see to only that which the Position needs for a given role. However, the more responsibility a Position has for a Compliance, Risk, KRI, Event or associated Task, the more information will be visible to that Position in order to perform that role.

For Positions with ‘See Own Data Only’ selected, TriLine GRC provides scaled access to Compliance Processes, Risks and KRIs, (Events), and their Tasks.

See the Glossary entry See Own Data Only field for detailed information about specific Record access levels for Positions with this option selected.

Assigning Security Rights to an Existing Record

The process of assigning Security Rights to a particular Record works like this:

  1. Select a Record (for example, a Compliance Process).
  2. Select the Record’s ‘Security’ tab.
  3. Locate the Security Group in the list.
  4. Select a Security Rights level for that group.

Example: Give a Security Group ‘Edit’ Rights to a Compliance Process

Compliance Process (Finance example)
Compliance Process (Finance example)

Refer to the screenshot above.

In this example, we want to give the ‘Finance’ Security Group ‘Edit’ Security Rights to this Compliance Process:

  1. In the Compliance Process page, click the ‘Security’ tab 1.
  2. Locate the ‘Finance’ Security Group in the list 2.
  3. Select ‘Edit’ Security Rights from the three options available 3.
  4. Optionally click the ‘Show Members’ icon 4 to display the members of ‘Finance’ Security Group.
  5. Hover over the Options 5 icon and then click the ‘Save’ icon 5 to apply updates.

Security setup example

The Blue Ribbon Company has the organisation structure shown below.

Example organisation structure
Example organisation structure

Here are the company’s security needs:

To meet the organisation’s security needs, we need to:

Set up the Administrators

See the following for more information:

Set up ‘View’ Rights for the CEO

The CEO needs ‘View’ Rights to all TriLine GRC Records—the ‘Super Users’ System Group provides this level of access.

See the following for more information:

Create Security Groups for Record Security

‘Edit’ Rights for Executive Managers

See the following for more information:

‘View’ Rights for Finance, HR and Sales division Positions

See the following for more information:

Apply Record Security for each Security Group

Record Security is applied within each individual Record, via that Record’s ‘Security’ tab. Here’s how we apply Record Security for our example Blue Ribbon Company.

Finance Records
'Finance' Record Security for each Security Group
‘Finance’ Record Security for each Security Group

Refer to the screenshot above.

For any Finance-related Record, select the Record’s ‘Security’ tab and apply the following Security Rights:

Note:
Groups with ‘Not Used’ Security Rights cannot access Finance Records.

HR Records
'HR' Record Security for each Security Group
‘HR’ Record Security for each Security Group

Refer to the screenshot above.

For any HR-related Record, select the Record’s ‘Security’ tab and apply the following Security Rights:

Note:
Groups with ‘Not Used’ Security Rights cannot access HR Records.

Compliance Records
'Compliance' Record Security for each Security Group
‘Compliance’ Record Security for each Security Group

Refer to the screenshot above.

For any Sales-related Record, select the Record’s ‘Security’ tab and apply the following Security Rights:

Note:
Groups with ‘Not Used’ Security Rights cannot access Sales Records.

Procedures

See the Positions with access to the Record

  1. Open a Record to which you have Edit access.

  2. Select the ‘Security’ tab. Click the Security Access Summary 1 icon.

  3. The Security Access Summary 2 list for this Record is displayed.

    'Compliance Process' Record example
    ‘Compliance Process’ Record example

Note: If a Position has access to this record through more than one Security Group, the Position will be listed for all those Security Groups. The highest Security Group access is the security access that will apply for this position.

Apply Security to a Record

Note: Only Positions in a Security Group with ‘Edit’ access can apply Record Security updates.

  1. Open a Record, which you have Edit access to, that you want to update the security accesses.

    'Compliance Process' Record example
    ‘Compliance Process’ Record example

  2. Select the ‘Security’ tab 1. The Security Group list is displayed.

  3. In the Security Group list:

  4. If required, click the ‘Show Members’ icon 4 to display the members of ‘Finance’ Security Group.

  5. Repeat step 3 to update any other Security Group access.

  6. Hover over the Options 5 icon and then Click the ‘Save’ icon to apply the updates.

Page Contents Glossary