Roles, Rights and Permissions
CERRIX uses a role-based access model to manage who can view, edit, and approve information across the platform. This ensures that every user only has access to the functions and data they need for their responsibilities, supporting both data security and efficient collaboration.
Roles and Permissions in CERRIX
Each user is assigned one or more roles, which define their level of access. Roles are aligned with common responsibilities in governance, risk, compliance, audit, and incident management. Permissions specify what a role can do within a module.
Permission Matrices per Module
CERRIX provides a Permission Matrix for each key module. These matrices are the authoritative reference for configuring and validating user rights. In the matrix sheet:
Each row lists a specific action (e.g., Can report new incidents, Can delete risks).
Each column represents a role (e.g., Risk Unrestricted Admin, Incident Assessor).
The cells indicate whether the role has permission, and what the scope of their permission is (Unrestricted, Restricted, or Assigned).
Unrestricted means that a user has rights across all organizations
Restricted means that a user has rights for a specific organization
Incidents Permission Matrix
Event Unrestricted Administrator
Full access to all event-related functionality and visibility across all organizations.
Event Restricted Administrator
Similar to the Unrestricted Administrator but limited to their own organization (and daughters org) and without access to Standing data.
Event Assessor
Full editing rights (in statuses: Awaiting acceptance and Ready for review) for events assigned to them
Event Responsible
Editing rights (in status Awaiting improvements) for assigned events, except for user assignments.
Event Reporter
Can report new events for any organization in CERRIX.
Event Informed
View-only access to events where the user is assigned.
Event Unrestricted Viewer
View-only access to all events, across all organizations.
Event Restricted Viewer
View-only access to events within the user’s own organization (and daughters org)
You can see which permissions these roles have in this permission matrix:
Risks Permission Matrix
Risk Unrestricted Administrator
The Unrestricted Administrator has unrestricted read and write rights, can add entries in catalogues.
Risk Restricted Administrator
The Restricted Administrator has restricted read and write rights for his own organization.
Risk Unrestricted Writer
The Unrestricted Writer has write rights for the entire organization.
Risk Restricted Writer
The Restricted Writer has write rights for his own organization.
Risk Unrestricted Viewer
The Unrestricted Viewer has view rights for the entire organization.
Risk Restricted Viewer
The Restricted Viewer has read rights for his own organization.
You can see which permissions these roles have in this permission matrix:
Controls Permission Matrix
Control Unrestricted Administrator
The Unrestricted Administrator is responsible for setting up and maintaining a complete overview of the Controls module across all organizations. This role grants full visibility and editing rights on all controls, as well as access to all standing data in the module. The user can also be assigned to any role within testing activities.
Control Restricted Administrator
The Restricted Administrator is also able to set up and keep the overview of the controls. However, the Restricted Administrator is limited to controls of his own organization. Also, the Restricted Administrator can be selected in every role in testing within his own organization.
Control Unrestricted Writer
The Unrestricted Writer has full write permissions for the Controls module across all organizations. They can create, edit, and delete controls but have no testing-related permissions.
Control Restricted Writer
The Restricted Writer can create, edit, and delete controls within their own organization. Similar to the Unrestricted Writer, this role does not include any testing rights.
Control Unrestricted Viewer
The Unrestricted Viewer can open and view all controls across all organizations in read-only mode. This role has no editing or testing permissions.
Control Restricted Viewer
The Restricted Viewer can open and view controls only within their own organization in read-only mode. This role has no editing or testing permissions.
Control Evidence Uploader
The Evidence Uploader can be assigned in test plans for both Design & Implementation and Effectiveness testing. This role is responsible for uploading and maintaining supporting evidence used during control testing.
Control Tester
The Tester is responsible for executing both Design & Implementation and Effectiveness testing. This role carries out control tests and documents the test results.
Control Reviewer
The Reviewer evaluates and approves the results of Effectiveness testing. This role is responsible for reviewing the tester’s work and ensuring that control assessments are complete and accurate.
Control Testplan Creator
The Test Plan Creator is responsible for designing and maintaining test plans for both Design & Implementation and Effectiveness testing. This role can also manage the corresponding test catalogues.
Control Executor
The Control Executor is responsible for performing the operational execution of controls as defined in the system. This role records the performance results and can upload relevant evidence demonstrating that the control has been executed according to plan.
You can see which permissions these roles have in this permission matrix:
Control Effectiveness Testing Permission Matrix
The role descriptions for Control Effectiveness Testing are the same as those for the Controls.
You can see which permissions these roles have in this permission matrix:
Last updated