What's covered in this article
Verinote allows agencies to enforce the principal of least privilege through a Role Based Access Control Group (ACG) Model, with functionality of each aligned with a specific user persona. It is imperative Verinote administrators understand the Verinote ACG model and only assign ACGs appropriately and based on the users needs, position and delegation within the organisation.
Access Control Groups within Verinote
Below is the general explanation of the Access Control Groups, their use-cases and a general explanation of their capabilities from a permission standpoint.
- General User [Low Risk]: This is the ACG with least privilege and is allocated by default. This ACG has the rights to create, edit, search, read and export their own records only.
- Intelligence Units [Medium Risk]: This ACG has the same rights as Baseline, however, can search the entire agency’s data. For entries marked Official: Sensitive or Protected, the search results only return that information exists and who owns the data, with a prompt and feature to contact that user for disclosure of the information requested. This user cannot edit any data other than their own.
- Supervisor [Medium Risk]: This ACG has the same rights as Baseline, however in addition, can search, read, and export user records within their work unit. For example, the supervisor of a local police station or specialist unit. Returned searches exclude all notes marked as private by the creating user. This user cannot edit any data other than their own.
- Integrity Units [High Risk]: This ACG has the same rights as Baseline, however, can search, read, and export the entire agency’s data, including private However, they cannot access data classified as Official: Sensitive or PROTECTED. The Integrity ACG can also examine the Audit Portal to scrutinize Search Logs and Export Logs. This user cannot edit any data other than their own.
- CEO or Delegate [High Risk]: This ACG has the same rights as Baseline, however, can search, read, and export the entire agency’s data, including private records and records marked up to PROTECTED. This user cannot edit any data other than their own.
- Agency Lawyer [High Risk]: This ACG has the same rights as Baseline, however, can search, read, and export the entire agency’s data, including private records and records marked up to PROTECTED. This user can edit data, but only limited to removing or applying classifications, IMM/DLM to assist in court disclosure and redaction.
- IT Administrator [Extreme Risk]: This ACG has the same rights as However, they have access to the Verinote Admin Portal to administer user accounts, including the provision of ACGs. Agency clients must be aware of the risks associated with this ACG and allocate accordingly based on their own risk assessment.
Classification/Information Visibility within Access Control Groups
The below table depicts the conditional access of each ACG to specific classifications and markings applied to Verinote entries.
When current user is not the owner of the entry, the Title, Body, Location and Attachments should be: | |||||||
Classification/Marking | General User | Integrity Units | CEO Or Delegate | Agency Lawyer | Admin | Intelligence Units | Supervisor |
OFFICIAL: Sensitive | no access | Hidden | Show | Show | Hidden | Hidden | Show (if same Work Group) |
Official | no access | Show | Show | Show | Hidden | Show | Show (if same Work Group) |
Unofficial | no access | Show | Show | Show | Hidden | Show | Show (if same Work Group) |
PROTECTED | no access | Hidden | Show | Show | Hidden | Hidden | Show (if same Work Group) |
Private | no access | Show | Show | Show | Hidden | Hidden | Hidden |
Assigning Access Control Groups
Users may request they be assigned a specific Access Control Group, based on their self assessed needs. However, this assignment needs to be approved by a Verinote administrator with the Verinote IT Administrator ACG privileges. This can be achieved though the Verinote Web Application (desktop) or Native Desktop Applications only. Once a Verinote administrator assigns an Access Control Group to a user, an email will be sent to all Verinote administrators notifying them of the change, for peer review and security monitoring.
Ongoing Monitoring of Access Control Groups
The agency must establish a routine and policy of monitoring the Verinote Access Control Groups and ensure the principal of least privilege is applied at all times. VeriSaaS has no oversight of Access Control Groups applied within an organisation/agencies Verinote platform.
If you have any issues with this help article, please raise a support ticket, email support@verisaas.com, call 1300 837 466 or raise a support request at support.verisaas.com
Comments
0 comments
Please sign in to leave a comment.