V5.

Security User Manual

BarnOwl Management Console Risk Management Module

BarnOwl Security User Manual v5.2

Table of Contents
1. 2.
2.1 2.2 2.2.1 2.3 2.3.1 2.3.2 2.3.3 2.4 2.4.1 2.4.2 2.4.3 2.5 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.5.6 2.5.7 2.6

Introduction to BarnOwl Security .......................................................... 3 Users and Groups within BarnOwl Server Management Console .............. 4
Users Capturing Users ................................................................................... 4 Groups Capturing Groups .............................................................................. 5 Assigning Group to a User............................................................................. 5 BarnOwl Security Properties/Application Permissions ....................................... 6 Security Properties Application Permissions .................................................. 6 Application Permission mapping .................................................................... 7 Application or Web permission error .............................................................. 7 Security Properties General Permissions .......................................................... 8 General Permission mapping ........................................................................ 8 General permissions overview ....................................................................... 8 Risk category tree and Template tree permissions ...................................... 10 Security Properties Risk Management permissions ........................................ 11 Unit based permissions flowchart rules........................................................ 11 Permissions not set check box .................................................................... 12 Hierarchical Permissions for Units within Risk Management Module ........... 12 Assigning Unit Permissions ......................................................................... 13 Remove or Restrict User rights/permissions ................................................ 14 Group Inheritance ........................................................................................ 15 Risk Management permission overview....................................................... 15 Report permissions ......................................................................................... 17

3.

Security Properties Internal Audit permissions .................................... 18

3.1 Internal Audit permissions ............................................................................... 18 3.1.1 Project Internal Audit Permissions ............................................................... 19 3.1.2 Internal Audit permission overview .............................................................. 21 3.1.3 Internal Audit report permissions ................................................................. 25

4.

BarnOwl Support ................................................................................ 26

Page 2 of 26 BarnOwl Security User Manual v5.2

1. Introduction to BarnOwl Security

BarnOwl security is administered in three areas within BarnOwl: User and group generic permissions are administered in the Server Management Console. Permissions pertaining to specific units in the organisational structure tree are administered in the risk management module. Internal Audit permissions pertaining to specific processes in the process tree are administered in the risk management module. By hovering over the icons on the login screen, the text above will change to indicate the application it maps to.

Page 3 of 26 BarnOwl Security User Manual v5.2

2. Users and Groups within BarnOwl Server Management Console

Users and groups are the two entities that can be granted permissions in BarnOwl. Users can be assigned to groups thereby inheriting their permissions. Groups can be used to represent geographic groupings or role groupings of users. Using groups, users can be assigned non explicit permissions.

2.1 Users Capturing Users

This allows the administrator to: capture new users assign basic security permissions.
Step 2 Select users G

Step 6 Save Step 3 Select New

Step 5 Capture type of authentication

Step 4 Capture detail

Step 1 Select Security

Page 4 of 26 BarnOwl Security User Manual v5.2

2.2 Groups Capturing Groups

Groups can be used to represent geographic groupings or role groupings of users. Users that have adopted permissions from groups can have these rights revoked. This is done by assigning the user no rights to a specific unit. Similarly a user that has been explicitly prevented from a certain general or application permission, though has adopted this permission from a group will not be allowed to access the related section of the system. A user can also be granted additional rights over and above the rights of the user group. This will be discussed in greater detail later in the manual. Users that are part of multiple groups will adopt permissions from all of the groups that they are assigned to using a logical OR operation. i.e. if Group1 does not have permission but Group 2 does and the users are a member of both these groups, the user will have the permission granted to them.

Step 2 Select New Step 1 Select Groups

Step 3 Capture detail Save & Close

2.2.1 Assigning Group to a User

After Groups have been captured they can be assigned to users within their permissions by simply selecting the group to be assigned.
Step 1 Select Users

Step 2 Double click or edit user

Step 4 Save & Close

Step 3 Group Member Properties Select applicable group member

Page 5 of 26 BarnOwl Security User Manual v5.2

2.3 BarnOwl Security Properties/Application Permissions

This section will provide detail on the Application, General Access, Unit (Risk Management) and Process based permissions for users and groups.

2.3.1 Security Properties Application Permissions

Application permissions refer to a users rights to access different modules of the BarnOwl Suite of applications. Using these permissions a security administrator can restrict users access to the different modules. For example a company may only own a 5 BarnOwl user license but is still allowed to make use of the Web voting and action plan components. The security administrator would have to capture the web access only users and only give them Web Voting Access and Web Action Plan Access permissions. It is important to remember that Application permissions are overridden by the BarnOwl license key based on which modules are purchased. Although you may be able to grant permissions to access the Internal Audit module, if your license key does not grant Internal Audit access, access to this module will be denied.
Step 1 Select and Edit User Step 4 Save & Close

Step 2 Select Security Properties

Step 3 Select Application permissions as per the Application Permission map below

Page 6 of 26 BarnOwl Security User Manual v5.2

2.3.2 Application Permission mapping

The following application permissions as seen in Figure 3.1 exist in BarnOwl: Permission Risk Management Client Access Management Console Access Internal Audit Client Access Synchronisation Client Access LDAP Integrator Access Loss Event Client Access Web Voting Access Web Action Plan Access Logging Console Access Business Intelligence Access BarnOwl Lite Access Surveys Client Access Description Allows users to access the Risk Management client. Allows users to access the Server Management Console. Allows users to access the Internal Audit client Allows users to access the Synchronisation client. Allows users to access the LDAP Integrator client. Allows users to access the yet to be implemented loss event client. Allows users to access the web voting. Allows users to access the web action plan. Allows users to the logging console Allows users to access the BarnOwl Business Intelligence section where the user can populate the BI Warehouse Allows user to access the web based BarnOwl Lite Module Allows user to access the Surveys Client

2.3.3 Application or Web permission error

When a user without Application permission tries to access a module of BarnOwl the following message will be displayed. Application permissions access error for window client

Web permissions access error for web client

Page 7 of 26 BarnOwl Security User Manual v5.2

2.4 Security Properties General Permissions

General permissions provide security users with the ability to grant non unit driven permissions to users. Most of BarnOwl permissions are assigned to Units in the organisational structure from within the Risk Management module. General permissions are setup in the server management console. Using the general permissions users can be restricted from certain sections in server management console, template tree and risk category tree. The mapping below shows the mapping of general permissions to sections of the server management console.

2.4.1 General Permission mapping

2.4.2 General permissions overview

Permission Write Unit Description A user with Write Unit permissions is able to capture or edit any unit across the organizational structure in Risk Management. In the new release of BarnOwl the writing of units or deleting of units can be specified at unit permission level. Delete Unit release of BarnOwl A user with Delete Unit permissions is able delete any unit the writing of units or deleting across the organizational structure in Risk Management. In of units can be specified at unit the new permission level. Maintain Template Tree

Page 8 of 26 BarnOwl Security User Manual v5.2

General Setup

Risk Management Setup

Audit Planning Setup Audit Execution Setup Security Setup

A user with General Setup is able to access the General Setup tab from within the Server Console. A user must have this permission in order to view this tab. This permission also grants the user permission to run the System User Report from within the server console A user with Risk Management Setup is able to access the Risk Management tab from within the Server Console. A user must have this permission in order to view this tab. This permission has been replaced by the Internal Audit Setup permission as indicated below. This permission has been replaced by the Internal Audit Setup permission as indicated below. A user with Security Setup is able to access the Security tab from within the Server Console. A user must have this permission in order to view this tab. The user will be able to add and delete users as well as add / delete groups and add members to groups. However, unless the user is an administrator, he/she will not be able to add another user to the administrators group. Users also require this permission to view the BarnOwl user reports in the sever console. A user with Internal Audit Setup is able to access the Internal Audit tab from within the Server Console. A user must have this permission in order to view this tab. A user with Loss Events Setup is able to access the Loss Event tab from within the Server Console. A user must have this permission in order to view this tab. A user with Utilities Setup is able to access the Utilities tab from within the Server Console. A user must have this permission in order to view this tab. In order for a user to access the Risk Category panel from within Risk Management, he/she must have this permission. If the user does not have this permission they may not access this panel. The read template data permission allows users to read data in the template tree. Users that do not have template read permissions will not be able to view data in the template tree. The user will also need the Maintain Template Tree (General permissions as per section 3.2) permissions to access the template tree. The write template data permission allows users to capture and edit template data. This permission also allows users to apply templates. Users need write permissions to the unit they wish to apply the template to. Users will also need Maintain Template Tree (General permissions as per section 3.2) permission to access the template tree. The delete template data permission allows users to delete template data. This permission also allows users to delete templates. Users will also need Maintain Template Tree (General permissions as per section 3.2) permission to
Page 9 of 26 BarnOwl Security User Manual v5.2

Internal Audit Setup

Loss Events Setup

Utilities Setup

Maintain Risk Category Tree

Read Template Data

Write Template Data

Delete Template Data

Logging setup Custom Field Setup

access the template tree. The logging setup permission allows a user to set up the logging.

2.4.3 Risk category tree and Template tree permissions

The risk category tree and template tree display risks that may occur in organisational units (pervasive/common risks). Because of this, users that have either Maintain risk category tree permissions or Maintain template tree permissions could gain access to information on units that they do not have permissions to. To prevent the above from happening, the registers will filter the displayed data according to the users permissions. A user will not be able to see risks that are linked to units that they do not have permissions to. Should the data on one of the unit per registers be filtered the below message will be displayed on the register.

Page 10 of 26 BarnOwl Security User Manual v5.2

2.5 Security Properties Risk Management permissions

Risk management permissions are unit based. This means that permissions are defined on a per unit basis. i.e. a user may have Read permissions on unit x but not on unit y. This allows the security administrator to restrict unauthorised users from accessing sections of the organisational tree. Risk Management (Unit based permissions) follows the flow chart below.

2.5.1 Unit based permissions flowchart rules

Page 11 of 26 BarnOwl Security User Manual v5.2

2.5.2

Permissions not set check box

Previously when one saved user permissions on a unit both Risk Management and Internal Audit values were written to the database. This change has included a new check box stipulating if permissions have been set for either RM or IA.

If the Risk Management permissions not set is checked it instructs the system to ignore the fact that no risk management permissions are set for this unit and to use the general (global) permissions. If the Risk Management permissions not set is not checked it instructs the system to apply the risk management permissions set for this unit.

2.5.3 Hierarchical Permissions for Units within Risk Management Module

The hierarchical properties of permissions apply to both user and group permissions. Due to the hierarchical nature of the organisational structure it makes sense that unit based permissions also act in a similar way. For example: if a user is given permissions to the top of a branch of business he will inherit rights to the sections of business below this branch. If we look at the Organisational structure below we see that it has 4 levels of business: The root, below that ABC Corporation, below that Finance and below that Commercial Services and Operational.

Page 12 of 26 BarnOwl Security User Manual v5.2

2.5.4 Assigning Unit Permissions

Providing a user with permissions to the ABC Corporation unit will automatically grant him permission to below Finance unit and therefore also to Commercial Services and Operational. Management

Step 1 In Risk Management Module Select Unit Unit Security

Step 2 Right click in context field to Add / Remove users

Step 3 Click to select user, copy over with arrow - OK

Page 13 of 26 BarnOwl Security User Manual v5.2

Step 4 Select Risk Management Permissions applicable to user Save & Close

2.5.5 Remove or Restrict User rights/permissions

In the same example if we wanted to remove or restrict the users rights from one of the nodes below ABC Corporation we would simply capture permissions for the unit where we wanted to remove rights and select the rights he should have.

Step 1 Select Unit right click for Unit Security

Step 2 Edit Select User Tick to add/remove permissions Save and Close Removing rights This means that the user would have full rights to units ABC Corporation, Finance, & 503 but read only rights to Commercial Services

Page 14 of 26 BarnOwl Security User Manual v5.2

2.5.6 Group Inheritance

Earlier it was mentioned that a User would adopt or inherit rights from groups that they belong to. In this example, user Joe Soap could have inherited permissions from a group of Finance users that had been given permissions to the Finance unit. But by giving him specific permissions to the Commercial Services unit those adopted group units would be overwritten. He would still have the group permissions on unit Operational. When a user tries to browse registers on a unit where he does not have rights the following message will be displayed at the bottom of the register to inform the user that he does not have permissions or rights to view data on the selected unit.

2.5.7 Risk Management permission overview

Permission Read Description Read permissions allow the user to read data from units. Read permissions allow the user to read all Risk Management objects. User will be able to open registers to view data and on double clicking objects will be able view them in read only view. Write permissions allow a user to save and edit data. The user will be able to make use of the capture menus and save objects. Without read permissions users will not be able to browse the registers and will have to capture blindly Delete permissions will allow users to delete items from within the Organisational Structure and the Template tree. Users need read permissions as well in order to view and access the data before deleting it. Users with limited access may be required to still view and update their action plans in restricted units. The read action plan permissions will allow users to view details of action plans on units where they have this permission; they will not be able to see any other detail. Should a user have read permissions these will override read action plan permissions. Though should a user not have read permissions, read action plan permissions will allow them to read only action plans. A user requires either read action plan or read permissions to be able to access the action plan reports. These users will also be able to view action plans via the web action plan interface. These permissions work in the same way as the read action plan permissions, though they allow users to edit
Page 15 of 26 BarnOwl Security User Manual v5.2

Write

Delete

Read Action Plan

Write Action Plan

Manage Vote

Vote

Security Setup

and create new action plans. A user capturing action plans will only be able to capture action plans to the Units since they do not have view rights to any other Risk Management object. Users will need Manage Vote permissions to be able to create and maintain voting templates. These users would be designated as vote administrators and would create and manage voting sessions. They would change voting templates statuses and push the vote results into BarnOwl. Users with vote permissions will be able to vote on voting templates via the Voting Website. These users may not have access to the client application access and voting would be their only interaction with BarnOwl. Security Setup permissions allow users to alter unit security for units on which they have these permissions. Users that have General security setup permissions are allowed to alter unit security in any unit and therefore overwrite Risk Management Security Setup permissions. Users need General Security Setup to draw reports on BarnOwl User and BarnOwl group reports. This permission will not allow users access to these reports. Since risk merge is such a specific (and possibly dangerous) function, a permission has been created to prevent non trained users from using it. The risk merge permission allows users to make use of the risk merge functionality in the Risk Register. The Write Documents permission will allow a user to attach a document to any item, even if the user does not have permission to edit the item they are attaching the document to. A user with Write Unit permissions on the unit is able to capture any unit below the unit for which this permission is set. Note: If a user has been granted General Write/Delete Unit permissions, he will have permission to capture units anywhere on the Organisational Structure. A user with Delete Unit permissions is able delete any unit below the unit for which this permission is set. Note: If a user has been granted General Write/Delete Unit permissions, he will have permission to Delete units anywhere on the Organisational Structure. A user with Import Data permissions is able to import data from Excel (in a predefined format) into any unit where this permission has been set.

Risk Merge

Write Documents

Write Unit

Delete Unit

Import Data

Page 16 of 26 BarnOwl Security User Manual v5.2

2.6 Report permissions

All BarnOwl users have access to reports. This being said, users ability to draw information is restricted according to their rights. A user that does not have read rights to a unit will not be able to draw information on this unit using the reports. All reports unless detailed below work as described above. Report Name BarnOwl User reports Action Plan reports Permissions Required General Security setup permissions from the server console Risk Management Action plan read rights or Risk Management read rights.

Page 17 of 26 BarnOwl Security User Manual v5.2

3. Security Properties Internal Audit permissions

Internal Audit permissions are set up in a similar way to Risk Management Permissions. Internal Audit projects can either be driven from a unit or a process each needing the setting of different permissions. For unit-based projects, the Internal Audit permissions can be set up in the Server Management Console (for overall permissions) or on specific units in Risk Management via the Unit Security screen. Process-based projects need Internal Audit permissions to be set on the specific processes in the Process Tree in Risk Management, as well as on a unit level. In a process-based Internal Audit project, risks and controls will look to the unit in which the item resides for its permissions. Process Internal Audit permissions are set using the Process Security screen. Hierarchical permissions and group inheritance work in the same way as Risk Management permissions. Permissions that are captured from within the Server Console are granted to the Root unit and therefore are inherited by every unit in the organizational structure. Process permissions captured to the Process Root are inherited by every process in the process tree.

3.1 Internal Audit permissions

Unit Audit permissions are set up from the Server Management Console or from the same Unit Security screen that the Risk Management unit permissions are captured. Hierarchical inheritance and group permissions work in the same way as Risk Management permissions.

Setting Internal Audit permissions from the Server Management Console

Page 18 of 26 BarnOwl Security User Manual v5.2

Setting Internal Audit Permissions on specific units

Process Audit permissions are set from the Process Security screen in Risk Management.

Setting Internal Audit Permissions for processes

3.1.1 Project Internal Audit Permissions

Internal Audit permissions are more complex than Risk Management permissions in that some permissions are project based and others are unit/process based. In order for certain project based permissions to be effective, the user must have permissions for the unit/process to which the Internal Audit project was captured.
Page 19 of 26 BarnOwl Security User Manual v5.2

This applies to the Preparer, Reviewer, Close Project and Sign Off permissions. In order for a user to be able to perform the functionality that these permissions grant, the user needs to have these permissions granted both in the project unit/process AND in the project set-up. Therefore, a users permissions to perform these functions are defined at project setup, allowing certain users who have permission in the unit to have these permissions revoked on certain projects where they are not explicitly defined. For example, in order to set a Preparer on a project, the user must have the Prepare Items permission for the unit on which the project was created (or the process on which the project was created for process-based audits). The user setting up the project can then elect to give that user Prepare Items permission on the particular project. Wherever the Prepare Items permission is checked within the project, it will look at the project permission and not the unit permission.

Setting Project permissions on project creation

Page 20 of 26 BarnOwl Security User Manual v5.2

Setting Project permissions from within a project

3.1.2 Internal Audit permission overview

Within the project, other permissions are unit based and work the same way as Risk Management. Refer to the table below: for the rows that contain Project Root Unit/Process, the user must have permissions for the unit/process to which the Internal Audit project was captured. Otherwise the permissions work on a per unit basis. Permission Create Project Description A user with Create Project permissions is able to create an Internal Audit project for the unit which this permission is granted to. A user with Edit Project permissions is able to edit the following items from within Internal Audit: Anything from within the Project detail Figure Actual Hours Tasks Resources Resource Allocation Assign status flag/resource on Risk/Control/Recommendation This user will also be able to delete the above items. In order to edit these items the user must have this permission granted to them, regardless of whether they have Write permissions. Write Risks A user with Write Risks is able to
BarnOwl Security User Manual v5.2

Unit effective Project Root Unit / Process

Edit Project

Project Root Unit / Process

Per Unit
Page 21 of 26

capture and edit risks from within Internal Audit. The user can capture/edit risks from both the Risk Register (providing they have Read permissions to view the register) and from the Capture menu. The Write permission overrides this permission. Therefore if a user does not have Write Risks permission but has Write permissions, they will be able to capture/edit risks. Read Risks A user with Read Risks is able to view the risk register. The Read permission overrides this permission. Therefore if a user does not have Read Risks permission but has Read permissions, they will be able to view this register. Per Unit

Write Controls

A user with Write Controls is able to Per Unit capture and edit controls from within Internal Audit. The user can capture/edit controls from both the Control Register and Risk Register (providing they have Read permissions to view the registers) as well as from the Capture menu. This permission also allows you to capture/edit Audit Control Effectiveness and Audit Control Adequacy. The Write permission overrides this permission. Therefore if a user does not have Write Controls permission but has Write permissions, they will be able to capture/edit controls. A user with Read Controls is able to view the control register. The Read permission overrides this permission. Therefore if a user does not have Read Controls permission but has Read permissions, they will be able to view this register. A user must have the Close Projects permission in order to be able to close the project from the Capture -> Project Detail Figure. A user with Prepare Items permission is able to make himself the preparer of
BarnOwl Security User Manual v5.2

Read Controls

Per Unit

Close Projects

Project Root Unit / Process and specific project permission Project Root Unit / Process and specific
Page 22 of 26

Prepare Items

Review Items

PFO Access

an item. A user must have this permission regardless of their write permissions. This permission also allows the user to capture a Recommendation and Link recommendations. A user must have either Prepare Items or Review Items in order to capture/link recommendations. A user with Review Items permission is able to make himself the reviewer of an item. A user must have this permission regardless of their write permissions. This permission also allows the user to capture a Recommendation and Link recommendations. A user must have either Prepare Items or Review Items in order to capture/link recommendations. A user must have this permission granted in order to access the Project File Organiser. This permission is required regardless of the Read permission. It is also required in order to view the Ordered PFO report. A user who is granted Read Permissions is able to view the Risk Register, Control Register, Action Plan register, Review Note Register and Recommendation register. This permission overrides the Read Risks, Read Controls and Read Action Plans permissions. A user with this permission is able to view all reports except for the PFO Report. A user who is granted Write Permissions is able to capture and edit any of the following: Risks Controls Audit Control Effectiveness Audit Control Adequacy Action Plans This permission overrides the Write Risks, Write Controls and Write Action Plans permissions. A user with Delete Permissions is
BarnOwl Security User Manual v5.2

project permission

Project Root Unit / Process and specific project permission

Project Root Unit / Process

Read

Per Unit for risks and controls, otherwise Project Root Unit / Process

Write

Per Unit for risks and controls, otherwise Project Root Unit / Process

Delete

Per Unit for risks and

Page 23 of 26

able to delete anything that they have write permissions for, except for the following items which require Edit Project permissions: Anything from within the Project detail Figure Actual Hours Tasks Resources Resource Allocation Assign status flag/resource on Risk/Control/Recommendation Read Action Plans A user with Read Action Plans is able to view the control register. The Read permission overrides this permission. Therefore if a user does not have Read Action Plans permission but has Read permissions, they will be able to view this register.

controls, otherwise Project Root Unit / Process

Project Root Unit / Process

Write Action Plans

A user with Write Action Plans Project Root Unit / permission is able to capture and edit Process action plans from within Internal Audit. The user can edit action plans from both the Action Plan Register and capture them from the Recommendation Register. The Write permission overrides this permission. Therefore if a user does not have Write Action Plans permission but has Write permissions, they will be able to capture/edit action plans. The Write Documents permission will allow a user to attach a document to any item, even if the user does not have permission to edit the item they are attaching the document to. A user with Sign Off Items permission is able to sign off an item. A user must have this permission regardless of their write permissions. Permission to delete projects Permission to create and edit project plans (Process security) Permission to read project plans (Process security) Permission to delete project plans (Process security)
BarnOwl Security User Manual v5.2

Write Documents

Per Unit for risks and controls, otherwise Project Root Unit / Process Project Root Unit / Process and specific project permission Project Root Unit / Process Per Process Per Process Per Process
Page 24 of 26

Sign Off Items

Delete Project Write Project Plan Read Project Plan Delete Project Plan

3.1.3 Internal Audit report permissions

Internal audit reports are restricted according to a users rights. In order to view any reports from the Internal Audit project selection Figure, the user must have Internal Audit Read permissions for the unit selected to report on. From within an Internal Audit project, the following permissions are required: Report Name Control Procedure Report Project Risk Coverage Report Planned vs. Actual Report Recommendation Report PFO Report Permissions Required Read or Read Controls Read or Read Risks Read Read PFO Access Unit effective Project Root Unit Project Root Unit Project Root Unit Project Root Unit Project Root Unit

If a user does not have the required permission, the following error message will be displayed when the user clicks the Generate button: Error message when generating a report without the correct permission

Please note that all reports require the specific permission granted to the project root unit because the reports show data that is captured throughout the project and not on a per unit basis.

Page 25 of 26 BarnOwl Security User Manual v5.2

4. BarnOwl Support
If you have any questions and comments regarding the BarnOwl Risk Management system, please contact IDI Technology Solutions Help Desk on (011) 998 8222 or email us at support@barnowl.co.za

Page 26 of 26 BarnOwl Security User Manual v5.2