Symbiant Knowledge Base Assigning Roles and Divisions

The third thing to do when setting up your Symbiant system will be to assign roles and a division to users. Roles are how we limit record access and system controls.

Accessing Users #

Navigate to Setup by selecting the spanner at the bottom left.

Select Users,

Select a user you want to add a role and division to,

Role Explanation #

The below image describes the basic principle of how Roles work within the system.
(Note: Where it says Module – replace that with the relevant Module. E.G if it was for the Controls module it would be Module General Viewer = Control General Viewer)

General Role Use Cases:

module_admin – Has admin privileges (complete access) to all items within that module alone.
module_manager – Can manage records within the module but not items like drop-down lists or items in stubs.
module_record_owner – A user who has ownership permissions over a record in the module (usually something that they created).
module_record_owner_admin – A user who has ownership Admin permissions over a record in the module (They can delete their owned records).
module_action_assignee– The user can have actions assigned to them typically regarding Reviews.
module_general_viewer – General Read Only access to a module.

Divisional Role Use Cases:

module_div_admin – Has complete access to all records only within the user’s division and its subsidiary divisions within the module.
module_div_manager – Can see and manage records within the user’s division and its subsidiary divisions but cannot delete items.
module_div_viewer – Divisional and subsidiary divisional Read Only access to a module.

(Note: Where it says Module – replace that with the relevant Module. E.G if it was for the Controls module it would be Module General Viewer = Control General Viewer)

Assigning a Role #

Select which Role to assign to the User,

At least one User Role is required,

(Critical Note: Unless an ‘admin’, a user will need to be assigned a single appropriate role in each module they are using otherwise they will lack the required permissions to use that module (i.e. a user assigned risk_admin will not be able to interact with another module until given an appropriate role in that module!))

If you’d like to Divisionally Restric data you MUST assign a Divisional (div) Role,

(Critical Note: When assigning roles, ensure to avoid assigning two roles from the same module (i.e. audit_action_assignee and audit_div_viewer) to the same user. This will create errors in viewing and may impact permissions!)

Role Example (1) #

In the below example, the User would have,

Module-Specific Admin Permissions

(Read Module Records, Edit Module Records, Delete Module Records, Query (Reports) Module Records)

For the following Modules: Risk and Controls.

Role Example (2) #

In the below example, the User would have,

Risk Divisional Manager Permissions and Audit Manager Permissions

Risk: (Create Divisional Records, Read Divisional Records, Edit Divisional Records, Query (Reports) Divisional Records)

Audit: (Create Records, Read Records, Edit Records, Query (Reports) Records)

For the following Modules: Risk and Audit

(Please Note, This user would be bound by Division ONLY for Risk, as the Audit Role is Non-Divisional)

Role Example (3) #

In the below example, the User would have,

Action Assignee Permissions

(Read Assigned Records, Edit Assigned Records, Query (Reports) Assigned Records)

For the following Modules: Risk, Audit and Controls.

Role Example (4) #

In the below example, the User would have,

Full System Admin

(Ability to do everything, Including Edit the System Itself)

For the following Modules: All Installed Modules

Beware of Role Collisions #

In the below example, this will cause a Role Collision when the roles of Risk Admin and Risk Action Assignee are given to the same user together.

This is because the Risk Admin role has higher permissions than the Assignee,

Therefore directly adding the Assignee role will restrict the Risk Admin as the Action Assignee would.

It is highly advised to assign ONE role per Module to each User.

Assigning a Division #

Select which Division to assign to the User,

At least one Division is required,

Ensure you only assign the highest level division that a user requires.

If they sit in an entire department set them as that department, not each team within

(Critical Note: Divisional Record Restriction ONLY works with a Divisional Role also assigned to the User)

Division Example (1) #

In the below example, the User would have,

Divisional Risk, Audit and Control Admin

They’d have Divisional Access to Symbiant (And all Subsidiaries)

(Note: As Symbiant is the Root division you’d have Divisional Access to everything in and under Symbiant)

Division Example (1.1) #

In the below example, the User would have,

Divisional Risk, Audit and Control Admin

They’d have Divisional Access to Symbiant/UK/Sales (And all Subsidiaries)

(Note: As Sales is a Subsidiary you’d only have Divisional Access to everything in and under Sales)

(Critical Note: You can’t access anything higher than your assigned division (Only in and under))

Division Example (1.2) #

In the below example, the User would have,

Divisional Risk, Audit and Control Admin

They’d have Divisional Access to Symbiant/UK/Sales/Team A (And all Subsidiaries)

(Note: As Team A is a Subsidiary you’d only have Divisional Access to everything in and under Team A)

(Critical Note: You can’t access anything higher than your assigned division (Only in and under))

Division Example (2) #

In the below example, the User would have,

Divisional Risk, Audit and Control Viewer (A Read Only Role)

They’d have Divisional Access to Symbiant/UK/Sales/Team A (And all Subsidiaries)

As well as Divisional Access to Symbiant/US/Sales (And all Subsidiaries)

(Note: Users can be within multiple Divisions, across Subsidiary and even Root Divisions)

Division Example (3) #

In the below example, the User would have,

Divisional Risk Manager

They’d have Divisional Access to Symbiant/UK (And all Subsidiaries)

As well as Divisional Access to Symbiant/US (And all Subsidiaries)

(Note: Users can be within multiple Divisions, across Subsidiaries and even Root Divisions)

Division Example (4) #

In the below example, the User would have,

Divisional Risk Admin

They’d have Divisional Access to Symbiant/UK/Sales/Team A (And all Subsidiaries)

They’d have Divisional Access to Symbiant/Uk/Sales/Team B (And all Subsidiaries)

(Note: The user has been assigned all subsidiary divisions of Sales, yet they still won’t see anything in Sales as it’s still higher!)

Saving Users Roles and Divisions #

Once you have completed assigning roles and a division, save at the top right.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

System Setup

SAML Single Sign On

Risk Registers (System Setup)

Assigning Roles and Divisions

Accessing Users #

Role Explanation #