¶ Users, roles, and priviledges in the Diri app
This article outlines the user management process in the Diri application, from creation to deletion. User management is a core aspect of how the Diri application is configured and operates, reflecting the organizational structure. In Diri, a user is associated with one or more organizational units. Within these units, users are assigned specific roles. Each role encompasses a set of privileges that define what the user can see and do within the application. This system might seem complex, but it is designed to be intuitive and straightforward.
¶ Users, roles, and priviledges explained
Users: In the Diri app, a "user" typically represents an individual who has access to the application. Each user has a unique identifier and associated profile details, which might include their name, contact information, and organizational affiliations.
Roles: Roles are used to group users based on their responsibilities and the tasks they are allowed to perform within the application. Each role is equipped with specific privileges that enable users to access certain features of the Diri app. For example, a "Manager" role might have privileges to view reports, edit settings, and approve tasks, whereas a "Technician" role might only have privileges to view and complete specific tasks.
Privileges: Privileges are specific rights or permissions granted to roles that define what actions users can take within the app. These can include access to view certain data, execute specific functions, or modify resources. Privileges ensure that users can only perform actions that are pertinent to their role, thereby safeguarding the system from unauthorized access or unintended modifications.
This structured approach to user management helps maintain security and efficiency, ensuring that each user has access to the necessary tools and information to perform their duties effectively while protecting sensitive data and features from unauthorized access.
In the above example, the superadmin is located in the organisation top level, with two sub organisational levels. Each level has one user each. User 1 belongs to Organisation “Sub level 1” and has the role “User risk." User 2 belongs to the Organisation “Sub level 2” and has the role “Admin.” The superadmin manages the setup and can see everything, while User 1 and User 2 does not see the superadmin or each other, they are confined to the privileges assigned in their organisation.
¶ Creating users in Diri
There are several ways of creating new users in Diri. Navigate to the “Users & Access” option in the main menu. This action will open the Users menu, where there are three primary ways of adding users highligted in the below picture:
¶ The New and Edit existing user form
Clicking the "+ New user" icon in the top right corner will open a form for creating a new user, this form is identical to the one that opens to edit an existing user as well.
The form is a fairly straight forward registration of a new user and ends with the user receiving an email invitation to the app and to reset the password. Notable fields are:
- Organizations sets the top level organisation for the new user in the organisational hierarchy.
- Active organisation sets where the user will arrive in the app when he logs in. For simplicity, you can set the Active organisation the same as the organisation.
- Roles displays the access roles that can be assigned to the new users, e.g. Admin, User risk, Read & sign, etc.
- System language sets the language choice for the user.
Clicking save will send the invitation email to the user.
¶ Invite user
Clicking the invite user button next to the Add new user, will open an invitation form. This form has a predetermined organisation, corresponding to your user's active organisation (top left corner), and asks for the user's email and what access role he should get when signing in. This action will send an email invitation to the user.
¶ Adding a user directly in the list
Clicking the List+ icon above the User listing will create an empty row as illustrated in the first picture in this article. The registration requires email, organisation, and role. The registered user receives an email invitation after being successfully registered.
¶ Role-based access control (RBAC) in Diri
Diri utilizes Role-Based Access Control (RBAC) to customize system access based on defined user roles, thereby enhancing the management of permissions across the platform. RBAC is an essential strategy that restricts system access to authorized users through a framework centered on roles and privileges. This framework simplifies permission management by aligning access strictly with the necessary functions users need to perform their duties.
RBAC is particularly effective in large organizations that manage hundreds of users and thousands of permissions, facilitating streamlined administration of security. It supports a variety of roles tailored to specific operational needs, such as read-only roles for auditors and managerial roles, which help improve both the integrity and confidentiality of data within Diri.
The system is designed with clear role definitions, including Super Admin (top level), Local Admin (branch admins), and Standard User roles (User Risk / User Privacy), each with distinct responsibilities and access levels. This precision ensures that access rights are appropriately assigned and controlled:
- Super Admins have overarching control across the platform, capable of managing all settings, users, and organizational structures.
- Local Admins are responsible for specific organizational segments, managing users and settings within their designated areas.
- Standard Users have restricted access tailored to their operational needs, ensuring they can perform their tasks without accessing sensitive system settings.
Additionally, RBAC enhances security by safeguarding against unauthorized changes and ensuring that privileges are granted through proper channels. Predefined roles like Admin, User Risk, and User Privacy are established to match specific job functions and responsibilities, ensuring users have access to necessary resources without compromising security.
Overall, RBAC in Diri ensures a secure, organized, and efficient way to manage access rights, aligning with the organization's need for security and operational efficiency.
¶ User Roles and Access for Administration and Settings
Super Admin The Super Admin has complete control over the entire Diri platform. This role is assigned in cooperation with Diri staff during onboarding. Super Admin privileges include:
- Viewing and managing all users and sub-organizations.
- Creating and organizing new organizations.
- Changing settings for the entire organization.
Local Admin The Local Admin is responsible for a specific organization and any sub-organizations:
- Managing users and settings within their organization and sub-organizations.
- Creating sub-organizations.
Standard User Standard Users (User Risk and User Privacy) have limited access:
- Only viewing content within their organization.
- Not editing users or organizations.
- Not creating or changing the structure in Diri.
¶ Predefined Roles
To improve structure and role distribution, we have introduced a set of predefined roles that cannot be altered or deleted:
- Admin: Has extended administrative rights within their organization.
- User Risk: Manages the cybersecurity module, including risk assessments and associated actions.
- User Privacy: Manages the privacy module.
- Auditor: Has read access to data relevant for audit purposes.
- Read and Sign: Has read access to risk assessments and measures, and can sign off on action plans.
The settings for these roles are found via the “Users & Access” menu, and “Access control” tab as illustrated below:
¶ Securing Roles and Rights
To prevent unauthorized access and modifications, additional security mechanisms have been implemented:
- Predefined roles (Admin, Auditor, User Risk, User Privacy) cannot be changed or deleted.
- Only Super Admins and Local Admins can assign roles.
- Standard Users cannot modify their own or others' rights.
¶ Assignment of multiple Roles and Rights
Roles and rights are assigned under "Users and Access" with three key columns/options:
- Active Organization: Indicates the user's current position in the organizational tree, always displayed in the top left corner.
- Organizations: Shows which organizations a user belongs to and where they can be assigned roles.
- Roles: Once a user is assigned to one or more organizations, they can be granted roles. The roles available are filtered clearly for easy selection, allowing a user to have different roles in different organizations, e.g., "User Risk" in Organization 1 and "User Privacy" in Organization 2, illustrated below
This setup ensures users have the necessary rights to efficiently work within their designated areas in Diri while maintaining strict control over access and role assignments.
In the application, the user gets assigned a second organisation and a role in this organisation:
The user now has multiple roles and switch between organisations with different priviledges using the “Active organisation” option up left corner, and will change the user's organisational belonging and priviledges.
