Model Security Vs. Control Security - Kyra Geryol

Authorizations (Across all RM Objects)

Owner - The user can view, edit, delete, and modify the security of the risk management object

Editor - The user can view and edit the object but cannot delete or modify the security

View - The user can only view the object and/or data

Models

There is only one level of security for models. This means a user can be assigned to a model as an Owner, Editor, or Viewer and can see the model details, logic, and results regardless of authorization.

Controls

There are two levels of security for controls: Control Security and Result Security. There are two levels as opposed to one, like Models, because there needs to be a separation of duties once users work with controls in a Production environment. Controls are what the reports gather data from and where remediation occurs. 

Control Security: Grants a user access to the control itself, meaning the control details, comments, logic, and security assignment (depending on authorization).

Result Security: This feature grants users access to the results, which they can remediate or view (depending on authorization).

Best Practice Solution for Controls Security Assignment

Suppose a user needs access to remediate a control's results. In that case, they should be assigned as Viewers of the Control Security so they can only see the control details but not modify anything, and they should be Owners or Editors of the Result Security.