User Roles¶
User roles classify end users by their function within the organization. Unlike agent roles which control platform permissions, user roles are primarily used for approval routing, organizational designation, and compliance role tracking.
Navigation
Configuration > Users > User Roles on the GRC-ITSM website navigation.
Pre-Configured Roles¶
The GRC-ITSM platform includes user roles designed to support both ITSM operations and GRC-specific functions.
Approval Roles¶
These roles determine who receives approval requests at the organizational level. When an approval process step routes to "all approvers with a role," the platform looks up users assigned these roles and sends the approval to them.
| Role | Purpose |
|---|---|
| Access Approver | Receives user access request approvals. This is the designated point of contact who authorizes onboarding, offboarding, and access modifications for the organization |
| Change Approver | Receives change request approvals. Authorizes system changes, configuration updates, and deployments |
| Deviation Approver | Receives vulnerability deviation approvals. Authorizes deviations from standard remediation SLAs (false positives, risk adjustments, operational requirements) |
These roles are the second stage of the two-stage approval workflow: the Change Advise Board (CAB) reviews and approves first, then the request is routed to the user with the corresponding approval role for final organizational sign-off.
See the Approval Processes admin guide for details on how approval routing is configured.
Compliance & Governance Roles¶
These roles designate individuals with specific compliance responsibilities within the organization. They are documented in the System Security Plan (SSP) and are referenced during audits and assessments.
| Role | Purpose |
|---|---|
| ISSO | Information System Security Officer. The individual responsible for ensuring the security posture of the information system. Required to be identified in the SSP per PL-2, which requires identifying individuals who fulfill system roles and responsibilities |
| System Owner | The individual responsible for the overall procurement, development, integration, modification, operation, and maintenance of the information system. Identified in the SSP and responsible for the authorization package |
| Incident POC | Incident Response Point of Contact. The designated individual to be notified during security incidents. Supports FedRAMP IR-6 (Incident Reporting) and the FedRAMP Incident Communications Procedures, which require timely incident notification to designated points of contact |
| Account Manager | The organizational point of contact for account and relationship management |
Incident Response Roles
The Incident POC, ISSO, and System Owner roles are particularly important for incident response. When a security incident occurs, these are the individuals who need to be notified and involved. The Incident Response playbook references these roles as part of the IRT (Incident Response Team) notification chain. Each organization should have these roles assigned to ensure incidents are reported to the right people within the required timeframes.
Operational Roles¶
| Role | Purpose |
|---|---|
| ConMon User | Identifies users involved in the continuous monitoring process. Can receive notifications and reports related to ConMon activities |
| Standard User | The default role for general end users with no special designation. Standard portal access for submitting and tracking tickets |
How User Roles Are Used¶
Approval Routing¶
The primary function of approval roles is controlling who receives approval requests. When an approval process step is configured to route to users with a specific role, the platform finds all users assigned that role and sends the approval to them.
For example, the User Access Approval process routes its second step to "all users with the Access Approver role," ensuring the correct organizational point of contact receives the access request for final authorization.
Compliance Documentation¶
Roles like ISSO, System Owner, and Incident POC serve as a living record of who holds these designations. Rather than maintaining a separate spreadsheet of role assignments, the platform tracks them directly on user records, where they can be reported on and audited.
Notifications and Escalation¶
Roles can be used to target notifications. For example, email rules or ticket rules can be configured to notify all users with the Incident POC role when a critical incident ticket is created.
Assigning Roles¶
User roles are assigned on the individual user's record:
- Navigate to the user's profile
- Assign the appropriate role(s)
- For approval roles, ensure the user also has the "can partake in approvals" permission enabled on their profile
Approval Permission
Assigning an approval role alone is not sufficient for the user to receive approvals. The user must also have the approval participation permission enabled on their profile. Without this, they will not appear in the approval routing even if they hold the correct role.
Creating Custom Roles¶
Additional roles can be created to match organizational needs:
- Navigate to Configuration > Users > User Roles
- Click New
- Set the role name and configure any associated settings
- Save the role
Custom roles can be used for any organizational classification, approval routing, or notification targeting purpose.