Security context points
Roles (defined by role templates) are granted to specific security points in the object hierarchy, and permissions for a particular role are automatically granted to all objects that are created in the same location beneath that security point. If a role is assigned to a group on a top-level Business Entity, then all users of that group would have access to that business entity and would be able to access all objects under that entity as per the permissions in the role.
By default, the installation process automatically
sets Business Entity (SOXBusEntity) as the security
context point within the object hierarchy at which roles can be assigned.
Example
You
have a regional office called North America and a sub-regional office
called United States. When you create the business entity, the folder
structure /BusinessEntity/North America/United States would
automatically be created.
You also created a role template called Entity Owners that has access defined for the following object types:
- Business Entity
- Process
- Sub-process
- Control Objective
- Risk
- Control
When you assign the Entity Owners role template to the United States business entity, the following structure is automatically generated under the root folder of each object type:
/Processes/North America/United States
/Sub-processes/North America/United States
/ControlObjectives/North America/United States
/Risks/North America/United States
/Controls/North America/United States
/BusinessEntity/North America/United
States does not need to be generated because it already exists (it was automatically
created when the business entity was initially created).Figure 1 shows how access permissions (R=Read, W=Write, D=Delete, A=Associate) can be granted to specific objects in the hierarchy under the United States business entity security context point.
For details on assigning security management permissions to security domain group administrators, see Delegate administrator permissions.