Skip to content
  • There are no suggestions because the search field is empty.

Users and Authorization

Concept

Authorization in ISOPlanner relies on the authentication of Microsoft Entra ID. Only users with a Microsoft Entra ID (guest) account can be given permissions in ISOPlanner. ISOPlanner uses the Microsoft Entra ID Groups – with support for group inheritance – to synchronize users to ISOPlanner. In ISOPlanner, custom roles can be created. Roles can have users and groups as members and permissions can be granted to them. In addition, Sharing permissions can be created to control which data can be read, modified and deleted by users. Sharing permissions can have users, groups and roles as their members and can be applied to items like processes, risks and tasks.

Restrictions for Basic subscriptions:

  1. Sharing permissions are not supported. This means that create, read, modify and delete permissions cannot be granted.
  2. Synchronization from Microsoft Entra ID to ISOPlanner is not supported. This means that new users created in Microsoft Entra ID must be manually created in ISOPlanner and roles must be assigned manually.
  3. Adding Teams and Groups as members of Custom roles is not supported. This means that role members cannot be automatically synchronized with Microsoft Entra ID.

 

Users Where to find it in ISOPlanner: https://portal.isoplanner.app/admin/users/licensing

This section shows the list of users that are registered with their Microsoft Entra ID account in ISOPlanner. The first column (License) indicates whether the user is allowed to login or not as a normal user with read-only access and access to tasks. You can assign a ‘Licensed role’ to a user for higher privileges such as Admin or Manager. The licensed roles can be purchased and comes with a certain amount of normal user licenses, depending on the subscription type Basic, Business or Premium. For more information, see Subscription.

Add

Find one or more users in Microsoft Entra ID to assign an ISOPlanner license to. You may also assign a license to people with a guest account. Where a photo of the user is available in Entra-ID, same photo will be visible in ISOPlanner. Note: photo visibility is not applicable for all elements of ISOPlanner, due to practicality reasons; for example it is not applicable in Dashboards.

Edit

Click on the name of a user or select a user from the list and then click the Edit button to be able to change their name, email address, time zone and role membership. Changing the email address may be useful in situations where there are multiple aliases for an email address and you want to use another one than the default. The time zone can be changed to override the central setting for the entire organization. The role memberships can also be set on the tab Roles but are here also for convenience.

Remove

Select one or more people with a license from the list and then click the Remove to remove their ISOPlanner license. When a user is removed, they are disconnected from all tasks as owner and assignee. In addition, the user is disconnected from all requirements, controls, assets, risks, processes and objectives. Furthermore, the associated dashboards will be removed. The activity log and change log remain intact.

You can also replace a user with another user, which can save a lot of work.

Replace

Select one person with a license from the list and then click the Replace button to replace the selected person with someone else. You’ll get the option to select a person who will replace the selected person by searching.

When a user is replaced with another user, all dashboards, tasks, assets, risks, controls, processes and objectives are moved to the new user.

License

This menu contains options to enable and disable the license for a selection of users. It also contains a setting called “Automatically assign a license”. With this option enabled, you don’t have to assign licenses to people – they can simply log in and have a license be assigned to them automatically. If there are no more free licenses to assign, additional licenses will not be purchased automatically. So, this option won’t have effect when all available licenses are assigned already.

Disable this option if you want control over who gets an ISOPlanner license. In that case, you’ll assign licenses to users manually.

 

Roles Where to find it in ISOPlanner: https://portal.isoplanner.app/admin/users/roles

In the Roles tab, you can assign additional roles to people who already have an ISOPlanner license. There are 3 types of roles:

  1. Licensed roles. These roles can be purchased and allow the user high privileges like modifying data (Manager) and granting permissions (Admin).
  2. Default roles. These roles are do not count towards the number of purchased licenses and have special functionality.
  3. Custom roles. These roles can be created by you and users and groups (Business and Premium) can be assigned to them.

Permissions can be granted to all roles except Organization administrator and Administrator because they always have unlimited access.

 

Licensed Roles

 
Organization administrators

These users inherit the Administrator role from the parent organizational and therefore have Admin permissions. This role can only be assigned by the ISOPlanner Servicedesk for Premium subscriptions and to a limited number of users.

Administrators

These users have the Administrator role and have full authorization. This means that they are not subject to any authorization in ISOPlanner. An administrator is the only role who can grant permissions to other users.

Managers

These users have the Manager role and can do everything except grant permissions to other users.

 

Default roles

 
Consultants

These users have the same rights as the Manager role and therefore can do everything except grant permissions to other users. For instructions on how to add a consultant to ISOPlanner, see: https://portal.isoplanner.app/templates/ISOPlanner.Consultant.Onboarding.EN.pdf

License managers

License Managers can assign licenses to users and manage the subscription. Other features are not available.

 

Custom roles

Custom roles can be created and used as Owner for assets, risks, processes, objectives and items in the library.

You can create, edit and remove custom roles. A custom role has a name and a description. You can optionally link a document in the library. This can be useful when you have documents with more information on your roles like responsibilities and competences. When roles are created, you can assign members to it.

Business and Premium subscriptions can also assign Microsoft Entra ID groups to roles and automatically synchronize their members (users).

 

Permissions Where to find it in ISOPlanner: https://portal.isoplanner.app/admin/users/permissions

Role permissions

All members of the role are granted the role permissions. When a user is member of multiple roles, the effective permissions are the combination of all granted permissions through all assigned roles.

You can click on the name of the role to edit the permissions. Permissions are categorized per module. You can expand and collapse all categories. You can also and remove all permissions at once.

Each module can be enabled or disabled. This is done through the toggle Visible under each category. Each category may have additional features that can be switches on and off, such as permissions for the creation of new items. After saving, the affected users must reload their Browser before the permissions take effect.

The Organization administrator and Administrator roles are not listed here because they always have all permissions.

Users

All users that are assigned a license are implicitly member of the role “Users“. You don’t have to assign it. You can compare it to roles like ‘Everyone’ or ‘All company’ in other systems. For this role, you can switch modules on and off and allow/prevent the creation of tasks. Furthermore, members of the Users role have the following permissions:

  1. Login permission.
  2. Read all items shared with Everyone.
  3. Read all items for which the user is a member of the Sharing permission. 
  4. Read all items  where they are assigned as owner. (Directly or through a custom role.)
  5. Create tasks. (When the role permissions are enabled)
  6. Modify tasks that are assigned to them.
  7. Create comments on items they can read.

When a user has no Licensed role, other permissions (Update, Delete) in the Sharing permissions do not apply. The user only has Read permissions.

When a user is not a member of one or more Licensed roles, the user does not have access to:

  1. Administrator module.
  2. Annual plan module.
  3. Creation of dashboards.
  4. KPI module.
  5. Forms module.
  6. Tag management & knowledge base management.
  7. Analytics tabs of modules ISO/Custom standard & Requirement & Control.
  8. Risk board & Risk analytics.
  9. Overview of all tasks.
  10. Task templates.

 

Sharing permissions

This feature applies only to Business and Premium subscriptions

Sharing permissions allow you to grant permissions on items in ISOPlanner. Items can be an asset, risk or task for example. A full list is described below. Think of a Sharing permission as if you are sharing this asset or task with a group of people. Each member of the group has Read permissions and you can specify for each member if Update or Delete permissions are enabled. The other way around, when you assign a sharing permission to an asset or task, other people (who are not a member of the group) have no permissions and effectively cannot see that the asset or task exists. To easily assign the sharing permissions, you can create them upfront so you can re-use them and apply them in bulk to your items.

List of authorized items

Requirements and Controls inherit their authorization through Standards. Please note that Requirements and Controls can be part of multiple standards as they can be de-duplicated. For example, most ISO Standards have a Requirement about Leadership (5.1). Users can see to this Requirement when they have at least Read permissions on one of the Standards it is part of.

 

Permission meaning per item

To prevent possible data loss, deleting Requirements and Controls is only allowed by users with a Licensed Administrator role.

 

Example

In the screenshot above, a Sharing permission is created for HR processes. It has 4 members:

  1. Alex Wilber is a user and has read and update permissions
  2. CISO is a custom role with 2 members and has read, update and delete permissions
  3. Quality employee is a custom role with 3 members with read permissions
  4. Team A is a group with 100 users with read permissions

You can set a Sharing permission to Inactive (uncheck Active) to test the permissions more easily.

Click Save to create the Sharing permission. When you save it, it is not applied yet to any item. Click Apply in the toolbar of the Sharing permissions list to apply it to items. (Or click Save and Apply directly.)

Create and apply Sharing permissions to your items

To make the authorization not too complex, you can apply 1 Sharing permission to each item. The Sharing permissions themselves are very flexible and permissions on most items don’t change often. Tasks are maybe an exception to this. Task authorization is a little more flexible, please refer to the next chapter.

There are many ways to implement role based access control (RBAC) and you should choose the way that fits for you. In the next examples, we give some ideas to consider but this is not a guideline how you must implement it.

When you start creating Sharing permissions, think more in processes and less in departments. Let’s give an example. Assume you have implemented 2 ISO Standards (9001 and 27001). You have created assets, risks, controls, tasks and library items. Start with the ISO standards. Who needs to access the Requirements and Controls in these Standards? Probably the ‘Quality department’. But if you create a Sharing permission with this name and a internal auditor needs access later, you find yourself adding this user to the ‘Quality department’.

In most cases, you may already have an Microsoft Entra ID group ‘Quality department’ with the members of that team. If you don’t, you could create a Custom role ‘Quality employee’ and add the members. After that create a Sharing permission ‘ISO 9001 process’. Add this group or role as a member and add other people if needed. This way you ‘leave room’ for other people to (temporarily) join the ISO 9001 process.

Other things to consider are how you want to protect data and how you want to decentralize work. Protection of data is about who can read, update and delete. When all users with a Licensed role are allowed to update and delete everything, there is no need to configure Sharing permissions. If they are not, think about how you can divide the data into groups that have unique permissions. An example would be Risks. Risks have in most cases a clear owner which is probably a member of some department. You may want to create Sharing permissions for each owner. Give this Sharing permission a name like ‘Work related risks’ or ‘Information risks’ and add the owner and the IT department group as a member of the ‘Information risks’ Sharing permission, for example.

In general, don’t make it too complex. Having 5 – 10 Sharing permissions is no problem. Having 10 – 30 is pretty normal. 30 – 50 becomes a bit harder to manage and if you have more than 50, you may want to simplify the structure.

To apply Sharing permissions to your items, you have 2 options:

  1. Go to the lists of each item (e.g. processes, assets, risks) and apply them to a single item or multiple with Bulk Edit. The advantage is that you can filter the list as you want, for example on tags or owner.
  2. Use the Apply function in the Sharing permissions section in the Authorization menu. The advantage is that you can view and modify the Sharing permissions of all items without having to navigate through the lists.

Note that when an item is not shared yet, the Sharing permission is set to Everyone. You can observe this in the field (individual and in the list) Shared with.

Apply through the list

In the example below, we’ve navigated to the list of Risks, selected 3 items and clicked Bulk Edit. Now choose Sharing, choose a new Sharing permission and click Execute.

Apply through the Sharing permission section

In the example below, we’ve navigated to the Administration menu, selected the Permissions tab and clicked on Sharing permissions. Now select a Sharing permission and click the Apply button.

You can also click in Apply without selecting a Sharing permissions first.

In the top drop down list (1) you can select 1 or more Sharing permissions. When you do, all items are shown that have these Sharing permission(s) applied. In the search bar below the list (2) you can search for items to add to the list above. With the New sharing permission feature (3) you can select a new Sharing permission and apply it to your selection. In order by enable the Apply to selection and save button, you have to select one or more items in the list. When you have made a selection, click Apply to selection and save to make the change.

Special permissions

Owner permissions

When you assign an owner to an Task, Process, Objective, Asset, Risk, Requirement, Control or Library item, this owner is granted Read permissions. When the owner is a role, every member of the role (including users in the groups in the role) are granted Read permissions.

An owner does not need to be listed in the Sharing permission to get Read permissions!

 

Task permissions

The authorization of tasks generally follow the same rules as other items but there are a few differences to make working with tasks more easy / flexible.

  1. The owner of a task can only be a user and not a role. This makes it more clear who is responsible for tracking the task.
  2. The assignee of the task can modify the task without being a member of the Sharing permission with Update permissions. This is true for all fields except the following:
    1. Owner
    2. Start date
    3. Recurrence
  3. When the user has at least Read permissions, the user is able to assign the task to him/herself. (According to bullet 2, this is also the case when the user is the assignee.)
  4. When a custom form (with KPIs) is attached to the task, the form can always be used as long as the user can modify the task.

 

Note that users without a Licensed role can create tasks for other users (optionally based on a template). But if they do, they cannot modify this task anymore because they are not the assignee. These users can, however, assign tasks to themselves handle work from team members. The reason behind this limitation is that the Licensed Manager role is created for people who create and assign work to others. To overcome this limitation, please consider using more licenses using our discount model.

These rules ensure that:

  1. Users always can handle tasks assigned to them.
  2. Teams can handle and distribute by themselves.
  3. Team leaders and managers can directly share and assign tasks without having to assign to themselves first. (With a Licensed role Manager)

 

Resources