RAP uses an inherited top-down security model. The permissions you are given at a particular level in the organisation hierarchy will be inherited downwards to all subordinate levels. However, the administrator can assign higher security privilege at any point in the hierarchy giving complete control over your ability to see, create or modify risks and issues.
In order to allow an employee to access an organisational unit which is external to his “home” unit, permission must be granted by an administrator who has administrator privileges to both the user’s organisation unit and the target organisation unit.
Administrators and coordinators can be assigned at any level in the hierarchy allowing the creation of devolved administrator groups, which reduces the workload of the root administrators, and simplifies usage of the system by developing local expert user groups.
In a standard RAP installation, there are five access levels defined. Each access level includes all the rights of the access levels below it. The levels in increasing rights order are:
Viewer – This is the lowest level of privileges in the system giving the ability to only view risks or issues.
Owner - May be assigned ownership of a risk or issue by a user with higher access but cannot actually raise one themselves.
Author – Allows the ability to raise risks or issues and to act as a risk mitigator Someone who is assigned an action on a risk/issue. in those parts of the business structure allowed by the administrator.
Coordinator – Allows the ability to modify risks/issues on which the user has no role and to view audit trail information. This role allows the business to ensure consistency of approach across the company. Some data maintenance facilities are provided by this profile.
Administrator – This profile controls the structure of the business hierarchy that is modelled by the system. An administrator can assign user privileges and carry out data maintenance activities.
Regardless of their access level, all users may maintain risks for which they are the author or the owner. They may also edit any actions assigned to them.
Each user may be given one of the above access levels to one or more nodes in the organisation unit hierarchy. Each node will automatically inherit the access rights of its parent.
The 'owner' access level is designed for those who wish to allow only a small set of users to raise risks/issues whilst still allowing a large number of users to own risks.