Configure Field Level Security

Configurable forms contained within the system (e.g. the Control form) can employ field-level security. Field-level permissions are available on all configurable fields, but are primarily available to enable in-line editing of list-based forms, where fields pertaining to multiple sections of a form appear in a single list that must be distinguished on a field-by-field basis. By default, fields are governed by the permission types that correspond to the section of the form in which a given field appears.

It should only be necessary to update field-level security to address specific security concerns. For example, the Control Evaluation section of the control form is governed by the Control - Edit Evaluation permission type. The administrator, however, could bind the Control Evaluator field found on this form to the Control - Edit Attributes permission type. In this case, a user assigned to a role with the Control - Edit Evaluation permission type would be able to switch the Control Evaluation section of the form into edit mode, but the Control Evaluator field would remain non-editable, thus not allowing an assigned evaluator to re-assign the evaluation to someone else.

Access the appropriate configuration form:
- Organization/Process Configuration Forms
  1. Select the Default GRC context from the context menu.
  2. Click the GRC Register tab.
  3. Select Entity Hierarchy from the Frameworks group.
  5. Expand the Organization Unit node and select the desired organization.
    Note: Click Configure in the Organizational Unit, Process Model, or Child Organizations sections to configure the respective forms.
  6. Select a process from the Process Model section.
    Note: Click Configure in the Process, Process Financial Elements, or Child Processes sections to configure the respective forms.
- RCM Configuration Forms
  1. Select the Default GRC context from the context menu.
  2. Click the GRC Register tab.
  3. Select Entity Hierarchy from the Frameworks group.
  4. Expand the Organizational Unit node and select the appropriate Organization and Process whose RCM is to be configured.
  5. Double-click the RCM you wish to view or right-click and select View Object. The RCM page will appear in the window on the right-hand side of the screen.
  6. Click Configure in the appropriate section (e.g. attributes or evaluation) or click the object name (e.g. objective, risk, control, test) and then click Configure.
- Action Plan or Review Configuration Form
  1. Select the Default GRC context from the context menu.
  2. Click the GRC Register tab.
  3. Select Entity Hierarchy from the Frameworks group.
  4. Expand the Organizational Unit node and select the appropriate Organization or Process.
  5. Click on the Documentation Status or RCM Status links for the selected organization or process, which serves as a link to the Documentation or RCM for that entity
  6. Select the desired configurable form within the Documentation or RCM (e.g. action plans or reviews)
  7. Within the desired form (e.g. click on a particular action plan listed to open the action plan form), click Configure.
- Custom Entity Configuration Form
  1. Select the Default GRC context from the context menu.
  2. Click the GRC Register tab.
  3. Select Entity Hierarchy from the Frameworks group.
  4. Right-click on a custom entity within one of the five custom entity folders and click View Object.
  5. Within the Custom Entity form, click Configure.
  Note: This will only configure the form for the entities that exist under top-level entity folder from where you configured the entity. For instance, if you configured an entity form under Custom Entity 5, all other forms under this folder would also be configured in the same manner.
- Task Form
  1. Access a task.
  2. WIthin the task form, click Configure.
Click the field name where you want to establish restricted security.
Click the View Only drop-down list and select one of the following options:
- True - even if the form is switched to edit mode, the field will remain un-editable
- False - the field will always be editable when the form is switched to edit mode
- Set to a specific permission type - when the form is switched to edit mode, the field will only be editable if a user is associated to a role with the given permission type.
  Note: In the Risk and Control forms, users can configure fields to be editable by permission type depending on a user-defined boolean (check box) field. The configured field is editable when the boolean field is true (checked), and view-only when the boolean is false (unchecked).
Click Submit.
Click Save.