¶ Restrict content for User Risk and Privacy
Restricted Content for User Risk & User Privacy Roles is a visibility control feature that limits what users with these roles can see in the Diri platform. When enabled by an admin, affected users only see items they created, items shared with them, or items where they have a defined role (e.g., owner or responsible).
The goal is to enhance security, reduce unnecessary access, and support compliance through role-based restrictions. While applied globally per role, individual overrides are possible for flexibility.
Benefits:
- Limits data exposure by applying stronger least-privilege access
- Improves internal access control and regulatory alignment
- Simple to enable and centrally managed
- Customizable at the user level when needed
¶ Overview
This feature provides enhanced data access control for organizations with many users. It allows administrators to restrict visibility for users assigned the User Risk and User Privacy roles.
When the restriction is enabled:
Users only see content they created,
Content shared directly with them,
Or content where they have an assigned role (e.g., owner, responsible, participant).
This feature must be enabled by an organization administrator.
We recommend informing affected users before activating it.
¶ How to Enable Restricted Roles
To enable restricted content visibility:
Go to Users & Access → Access Control.
Toggle Restricted Role ON for the User Risk or User Privacy role.
All users with that role will have their access restricted according to the rules described below.
¶ Overriding Restrictions for Individual Users
To override the global rule for a specific user:
Open the user's profile in user management.
Switch their restriction setting from Global to Custom.
You can now set whether this user follows the restriction or not.
In the above example:
If the global rule is Restricted ON, but User B is set to Restricted OFF, they will retain full access regardless of global changes — until you switch them back to Global.
¶ Visibility Rules - What will regular users see restricted is enabled?
Below are the access limitations for users with restricted roles:
¶ Tasks
See only tasks they created or are assigned.
All users can view sprints (sprints are not restricted).
¶ IT Systems
Visible if the user is owner or responsible.
Also visible if part of an accessible Risk Assessment.
Vendors linked to visible IT systems are shown.
Note: If a vendor is linked to multiple systems, only those accessible to the user will be shown.
¶ Risk Assessments
Visible if user is owner, responsible, or a participant.
Linked IT systems, vendors, and values become visible.
¶ Values (Information Assets)
Shown if linked to accessible Risk Assessments or IT Systems.
If a value is linked to multiple IT systems, only systems the user can access will be shown.
¶ DPIAs
Visible if user is owner, responsible, or a participant.
Linked IT systems, vendors, processing activities, or values are visible depending on DPIA type.
¶ Measures
Visible if the user is an owner, responsible, or if the measure is linked to an accessible Risk Assessment or DPIA.
¶ Processing Activities
Visible if:
Created by the user,
Owned by the user,
Or linked to a DPIA the user can access.
¶ Guidelines
Visible only if created by the user or assigned to them.
¶ Known Limitations
Some content created before this update may not be visible to restricted users because creator metadata was not previously stored.
This applies to:
Processing Activities
Reports
Guidelines