Skip to main content

Portfolios and Permissions in Essential Compliance

How Portfolios and Permissions work in Essential Compliance. Portfolios can be used to restrict user access to sensitive data and/or to create an easier experience for users by restricting their view to their own team workspace and data.

G
Written by Gagan

Portfolios

All compliance resources (obligations, policies, controls, evidence tasks) can be saved into locked portfolios. Portfolios are created by admin users and then used to control data visibility:

  • Standard Users only see resources in the portfolios they have been granted access to.

  • Note that compliance resources saved into the "general" portfolio will be visible to all system users with compliance permissions.

  • Admin Users have access to all portfolios by default.

  • Resources in inaccessible portfolios appear as "Restricted Resource" with no clickable link. For example, if a user has access to a control with attached obligations, but one of the obligations is in a restricted portfolio that they don't have access to, the name of the obligation will be replaced by "Restricted Resource" and the user will not be able to click through to view its details.

  • When creating a new sub-resource from a parent (e.g., a sub-policy from a policy), the new resource defaults to the parent's portfolio when created but can be subsequently updated on the details screen for the sub-resource (parents and children do not need to be in the same portfolio).

User Roles

Feature

Admin

Standard

View consoles and details screens

Create, edit, delete resources

Manage Frameworks (create, edit, delete, merge)

Manage Themes

Configure details screen sub-sections

Set controls to Active (when admin toggle restricts this)

User Permissions

Client Admin Users can further manage/restrict the permissions of Standard Users in Essential Compliance through the Admin\Users & Permissions\Permissions screen:

  • Deleting resources - when set to "Yes" (default), Standard Users can delete resources they have access to (based on portfolio restrictions) throughout the Essentials Platform. This includes deleting obligations, policies, controls and evidence tasks.

  • Setting Controls to "Active" - when set to "Yes" (default), Standard Users can set mitigations (controls) to active status (approved). If “No”, then new mitigations (controls) will be in "inactive" status and can only be set to active status by Admin Users.

Did this answer your question?