Benutzer und Benutzerrollen/en: Unterschied zwischen den Versionen

Aktuelle Version vom 16. Juni 2025, 09:21 Uhr

User-roles in HITGuard

Each user role has its own permissions and functions.
User roles can be given separately for every module. The only exception is the Practitioner, as this role is the same across every module. This means that a user can be an Expert in the Security Assessor (risk management), but a Professional or Practitioner in the Progress Monitor (measures and controls).

Admin

This role is responsible for administration as well as for managing other users. Administrators have no insight into data. So, although administrators can manage and create all management systems, they do not have access to their data, nor can they be defined as responsible persons.

At the first installation of the software, at least one administrator must be defined.
There can be several administrators.
Performs purely administrative tasks like creating users and configuring an Active Directory.

Expert

This role may participate in one or more management systems in your organization.

Risk management:
- An Expert can perform analyses and create risks.
- Experts are responsible for the administration of the risk policy and the risk management settings.
Audit management
- An Expert can create, manage and perform audits/audit programs.
- Experts are responsible for the administration of audit management settings.
Measures and controls
- An Expert can create and manage measures and controls.
- Experts are responsible for the administration of the settings in the Progress Monitor.
Data protection
- An Expert can create processing activities, assign TOMs, manage external parties and data subjects.
Case management
- An Expert can process reports and create and manage periods.
- Experts are responsible for case management settings.
Docu management
- An Expert can create and edit directories.
- An Expert can upload and edit files.
ESG management
- An Expert an activate and deactivate the menu item.
- An Expert can create and manage impacts and ESG topics.
Supplier risk management
- An Expert can activate and deactivate the menu item.
- An Expert can create and manage suppliers.
Experts can create and manage management systems.
Experts can access the Administration menu and thus also create assets or users.

Professional

Users of this role support the experts of the management systems in the fulfillment of their tasks. A professional has access to all tasks in the management systems they are assigned to, but has limited editing rights.

Risk management:
- A Professional can create and manage analyses and risks.
Audit management
- A Professional can create, manage and perform audits/audit programs.
Measures and controls.
- They can create and manage measures and controls.
Data Protection
- A Professional can create processing activities, assign TOMs, and manage externals.
Case Management
- A Professional can process reports and assign periods.
Doc-management
- A Professional can create and edit directories.
- A Professional can upload and edit files.
ESG management
- A Professional can create and manage impacts and ESG topics.
Supplier risk management
- A Professional can assign a review to a supplier as the interview partner.

Observer

Users of this role have similar permissions as professionals with regard to the visibility of menu items. However, unlike professionals, they cannot make any changes to the system. They have read-only access to the software. To gain visibility into a management system, they must be added to the management system team like a professional or expert.

Risk Management:
- An Observer can view protection needs and vulnerability assessments, risks, measures, and dashboards, and generate reports.
Audit Management.
- An Observer can view audits and audit programs.
Measures
- An Observer can view measures, reports, assessments, and dashboards.
Controls
- An Observer can view controls, reports, and the dashboard.
Data protection
- An Observer can view processing activities and generate reports. TOMs and externals can be viewed without details. Data privacy impact assessments cannot be viewed.
Case management
- An Observer can view reports and periods.
Doc-management
- An Observer can view directories and files.
ESG management
- An Observer can view impacts and ESG topics.

Practitioner (workflow users)

This role has detailed information and implementation competencies that are required in the management system. It is essential that Practitioners share their knowledge with the HITGuard Experts in order to have a functioning management system.

The Practitioner has an overview of all their assigned measures, controls, processing activities and assessments to answer.
The Practitioner is reminded to carry out their duties.
Practitioner is the default role that each user has across all modules.

User Administration

Create user

There are three possibilities to create a user

Option 1: Create a user via the user list (for local logins without Active Directory).

Administration → Users: In the user list, on the right margin, click on the button "Plus" to add a user. Then you can create the user with the relevant data.

Note on the interface: "Search in directory service", is only displayed if LDAP is enabled in the global settings and an Active Directory is configured. This allows users to be searched from Active Directory and created with their data in HITGuard.

Note for Azure Active Directory (AAD): Users that were already created before LDAP activation can be linked to their Azure Active Directory account afterwards. This allows to use Single-Sign-On (SSO). This can be done by each user under their profile. (see Profile) Administrators can also load current data from the AAD using a button to the right of the user name. This replaces different information from HITGuard. For this, however, the user must already be linked to an AAD account.

Option 2: Quick entry

In the context of use, Active Directory Integration, a new user with minimal permissions for the active module can be created via a person selection screen. To use this, type the person's name or abbreviation in a user selection box. This will load the user from the Active Directory. This user can then log in with his Active Directory data. The user roles can be expanded later, if desired.

Option 3: Using an Active Directory

This is only possible if an Active Directory is configured. First, a user must be created as described in point 1. The specified e-mail must match that of their Active Directory user. Then the user can log in with their Active Directory user, if this is enabled in the global settings.

Assign user roles

Under "Administration → User Roles Assignment" it is possible to assign the respective roles for the desired user.

Licenses:

The column headings Experts and Professionals also show how many licenses are currently available and how many are being used. This allows you to see at a glance where you are over-licensed or under-licensed. More information about licenses can be found at "Administration → Licensing".

Assign:

User roles can only be assigned by administrators or experts.

Administrators can assign any role.
Experts can assign all roles except Administrator and Compliance Manager.
The role "Expert" cannot be withdrawn from persons responsible for a management system as long as they are responsible for at least one management system.

Important: Experts and professionals must be assigned to a management system after user role assignment in order to be able to perform their tasks.

Modules for experts, professionals, und observers
M&C	Measures and controls	part of every license
RM	Risk management	part of every license
DS	Data protection	Add-on
AM	Audit management	Add-on
FM	Case management	Add-on
DM	Doc-Management	Add-on
ESG	ESG management	Add-on
SRM	Supplier risk management	Add-on

Change/reset password

Caution: Changing a password only works if the local login is active. That means: either there is no Active Directory configured or Local Login is enabled under Global Settings. Change own password:

Click on the profile picture or profile name → Profile.
click on "Change password" at the bottom right
Enter old and new password and confirm

Change/reset a password as Administrator or Expert:

Select the desired user under Administration → User
click on "Change password" at the bottom right
enter new password and confirm

Note: Only administrators can reset passwords of experts. Experts can create and authorize users and they can reset passwords for Professionals and Practitioners. The administrator role can also be assigned to multiple users.

Disable user

Experts and administrators can deactivate users via the user mask. A deactivated user can no longer be selected in the application.

In order for a user to be deactivated, all of the user's management system and team memberships do not need to first be canceled. The user is shown as "deactivated" in any management systems and teams they were already a member of.

When deactivating, there is the option to anonymize the user in the system.

Caution: The anonymization removes all personal data of the user. This can no longer be undone! If "No" is selected in the deactivation dialog, the user is deactivated but not anonymized.

Alternatively to anonymization, an expert or administrator can pseudonymize the user when deactivating them. This is done by manually changing their username, first and last name, and e-mail address according to a determined logic.

Reset profile picture

Experts and administrators can reset a user's profile picture by clicking the icon next to the profile picture.

@@ Zeile 1: / Zeile 1: @@
+<span id="Benutzerrollen_in_HITGuard"></span>
 == <span id="user_roles"></span>User-roles in HITGuard ==
-<div class="mw-translate-fuzzy">
+Each user role has its own permissions and functions.<br>
-Each user role has its own permissions.<br>
+User roles can be given separately for every module. The only exception is the Practitioner, as this role is the same across every module.
-User roles can be given seperately for every modul.<br>
+This means that a user can be an Expert in the Security Assessor (risk management), but a Professional or Practitioner in the Progress Monitor (measures and controls).
-That means a user can be an Expert in the Security Assessor but only an Professional or Practitioner in the Progress Monitor.<br>
-[[$PM_user_roles|User-roles in the Progress Monitor]], [[$SA_user_rolse|User-roles in the Security Assessor]]
-</div>
+=== Admin ===
-'''Admin:'''
+This role is responsible for administration as well as for managing other users. Administrators have no insight into data. So, although administrators can manage and create '''all''' management systems, they do not have access to their data, nor can they be defined as responsible persons.
+* At the first installation of the software, at least one administrator must be defined.
+* There can be several administrators.
+* Performs purely administrative tasks like creating users and configuring an Active Directory.
-Diese Rolle ist für die Administration sowie für die Verwaltung anderer Benutzer zuständig. Administratoren haben keinen Einblick in Daten. Zum Beispiel können Administratoren zwar '''alle''' Managementsysteme verwalten und erstellen, haben aber weder einblick in deren Daten noch können sie als Verantwortliche festgelegt werden.
+=== Expert ===
-* Bei Erstinstallation der Software ist min. ein Administrator zu definieren.
-* Es kann mehrere Administratoren geben.
-* Erfüllt rein administrative Aufgaben.
-<div class="mw-translate-fuzzy">
+This role may participate in one or more [[Special:MyLanguage/Managementsysteme|management systems]] in your organization.
-'''Expert:'''<br>
+* Risk management:
-In this role you will be responsible for one or more [[$A_manSys|management systems]] in your company. You must plan measures for findings, ensure the sustainability of these measures and are required to report to Management.
+** An Expert can perform analyses and create risks.
-* can create and administrate management systems
+** Experts are responsible for the administration of the risk policy and the risk management settings.
-* can create assessments, risks, measures and controls and can also administrate findings <br>(expert mode in the Progress Monitor for processing progress reports)
+* Audit management
-* is responsible for the administration of the risk policy
+** An Expert can create, manage and perform audits/audit programs.
-* can make access permissions and basic configurations
+** Experts are responsible for the administration of audit management settings.
-</div>
+* Measures and controls
+** An Expert can create and manage measures and controls.
+** Experts are responsible for the administration of the settings in the Progress Monitor.
+* Data protection
+** An Expert can create processing activities, assign TOMs, manage external parties and data subjects.
+* Case management
+** An Expert can process reports and create and manage periods.
+** Experts are responsible for case management settings.
+* Docu management
+** An Expert can create and edit directories.
+** An Expert can upload and edit files.
+*ESG management
+** An Expert an activate and deactivate the menu item.
+** An Expert can create and manage impacts and ESG topics.
+*Supplier risk management
+** An Expert can activate and deactivate the menu item.
+** An Expert can create and manage suppliers.
+* Experts can create and manage management systems.
+* Experts can access the Administration menu and thus also create assets or users.
-Diese Rolle verantwortet ein oder mehrere [[Special:MyLanguage/Managementsysteme|Managementsysteme]] in Ihrem Unternehmen.
+=== Professional ===
-* Security Assessor (Risikomanagement):
-**Kann Bewertungen, Risiken erstellen und auch Feststellungen administrieren.
-** verantwortet die Administration der Risikopolitik
-* Progress Monitor (Maßnahmen und Kontrollen)
-** Kann Maßnahmen und Kontrollen erstellen und administrieren.
-** verantwortet die Administration der Einstellungen im Progress Monitor
-* Data Protector (Datenschutz)
-** Kann Verarbeitungstätigkeiten erstellen, TOMs zuweisen, Externe und Betroffene administrieren.
-* kann Managementsysteme erstellen und verwalten
-* Kann die Zugriffsberechtigungen und Basiskonfigurationen vornehmen
-* kann die Administration verwalten
+Users of this role support the experts of the management systems in the fulfillment of their tasks. A professional has access to all tasks in the management systems they are assigned to, but has limited editing rights.
+* Risk management:
+** A Professional can create and manage analyses and risks.
+* Audit management
+** A Professional can create, manage and perform audits/audit programs.
+* Measures and controls.
+** They can create and manage measures and controls.
+* Data Protection
+** A Professional can create processing activities, assign TOMs, and manage externals.
+* Case Management
+** A Professional can process reports and assign periods.
+* Doc-management
+** A Professional can create and edit directories.
+** A Professional can upload and edit files.
+* ESG management
+** A Professional can create and manage impacts and ESG topics.
+*Supplier risk management
+**A Professional can assign a review to a supplier as the interview partner.
-<div class="mw-translate-fuzzy">
+<span id="Observer_(Beobachter)"></span>
-'''Professional:'''
+=== Observer ===
-* has access to all tasks in the management system with limited editing rights
-* can create assessments, risks, measures and controls and can also administrate findings
-</div>
-User dieser Rolle unterstützen die Experten der Managementsysteme in der Erfüllung ihrer Aufgaben. Ein Professional hat Zugriff auf alle Aufgaben, in den Managementsystemen denen er zugeteilt ist, mit eingeschränkten Bearbeitungsrechten
+Users of this role have similar permissions as professionals with regard to the visibility of menu items. However, unlike professionals, they cannot make any changes to the system. They have read-only access to the software. To gain visibility into a management system, they must be added to the management system team like a professional or expert.
-* Security Assessor (Risikomanagement):
+* Risk Management:
-**Kann Bewertungen, Risiken erstellen und auch Feststellungen administrieren.
+** An Observer can view protection needs and vulnerability assessments, risks, measures, and dashboards, and generate reports.
-* Progress Monitor (Maßnahmen und Kontrollen)
+* Audit Management.
-** Kann Maßnahmen und Kontrollen erstellen und administrieren.
+** An Observer can view audits and audit programs.
-* Data Protector (Datenschutz)
+* Measures
-** Kann Verarbeitungstätigkeiten erstellen, TOMs zuweisen und Externe verwalten.
+** An Observer can view measures, reports, assessments, and dashboards.
+* Controls
+** An Observer can view controls, reports, and the dashboard.
+* Data protection
+** An Observer can view processing activities and generate reports. TOMs and externals can be viewed without details. Data privacy impact assessments cannot be viewed.
+* Case management
+** An Observer can view reports and periods.
+* Doc-management
+** An Observer can view directories and files.
+* ESG management
+** An Observer can view impacts and ESG topics.
-<div class="mw-translate-fuzzy">
+<span id="Practitioner_(Workflow-Benutzer)"></span>
-'''Practitioner:'''<br>
+=== Practitioner (workflow users) ===
-In this role, you have detailed information and implementation skills that are required from within the management system. Sharing your knowledge with HITGuard Experts is essential for a vibrant management system.
-* has an overview of all findings, controls and assessments assigned to him for response
-* will be reminded to complete his tasks
-* is the standard role that each user has over all modules
-</div>
-Diese Rolle verfügt über Detailinformationen und Umsetzungskompetenzen die aus dem Managementsystem heraus benötigt werden. Dass Practitioner ihr Wissen mit den HITGuard Experten teilen ist für ein lebendiges Managementsystem unbedingt erforderlich.
+This role has detailed information and implementation competencies that are required in the management system. It is essential that Practitioners share their knowledge with the HITGuard Experts in order to have a functioning management system.
-* hat Überblick über alle ihm zugeteilten Maßnahmen, Kontrollen, Verarbeitungstätigkeiten und Bewertungen zur Beantwortung
+* The Practitioner has an overview of all their assigned measures, controls, processing activities and assessments to answer.
-* wird an die Erledigung seiner Aufgaben erinnert
+* The Practitioner is reminded to carry out their duties.
-* ist die Standardrolle die jeder Benutzer modulübergreifend besitzt.
+* Practitioner is the default role that each user has across all modules.
+<span id="Benutzerverwaltung"></span>
 == User Administration ==
-<div class="mw-translate-fuzzy">
+[[Datei:Benutzer anlegen.PNG|thumb|right|500px|600px|Create user]]
-Creating a new user is divided into 3 steps:
-# Create user including initial password:
+=== Create user ===
-#:There are 2 ways to create a user
+There are three possibilities to create a user
-#:* Option 1: Userlist
+* Option 1: Create a user via the user list (for local logins without Active Directory).
-#::: Administration ==> User
+: Administration → Users:  In the user list, on the right margin, click on the button "Plus" to add a user. Then you can create the user with the relevant data.<br><br>
-#::: In the userlist click on the plus button "Create user"<br>and create the user with all relevant Data.(see [[Profil|Profil]]).
+: <u> Note on the interface</u>: "Search in directory service", is only displayed if LDAP is enabled in the global settings and an Active Directory is configured. This allows users to be searched from Active Directory and created with their data in HITGuard.
-#:* Option 2: fast entry
+: <u>Note for Azure Active Directory (AAD)</u>: Users that were already created before LDAP activation can be linked to their Azure Active Directory account afterwards. This allows to use Single-Sign-On (SSO). This can be done by each user under their profile. (see [[Special:MyLanguage/Profile|Profile]]) Administrators can also load current data from the AAD using a button to the right of the user name. This replaces different information from HITGuard. For this, however, the user must already be linked to an AAD account.
-#::: In the context of use, Active Directory Integration can be used to create a new user with minimal permissions via a person selection mask. E.g. when creating measures
+* Option 2: Quick entry
-# User role allocation:
+: In the context of use, [[Special:MyLanguage/Global_Settings#ldap|Active Directory]] Integration, a new user with minimal permissions for the active module can be created via a person selection screen. To use this, type the person's name or abbreviation in a user selection box. This will load the user from the Active Directory. This user can then log in with his Active Directory data. The user roles can be expanded later, if desired.
-#: User roles can only be assigned by Administrators or Exoerts.<br>For this go to "Administration ==> user-role-assignment" and assign the respective roles to the desired user.<br>Important: Experts and Professionals need to be assigned to a management system in order to complete their tasks.[[Benutzer zu Managementsystemen zuteilen|Assigning Users to Management Systems]]
-# Change passwords:
+* Option 3: Using an Active Directory
-#: Change your own password:
+: This is only possible if an [[Special:MyLanguage/Login_Möglichkeiten|Active Directory]] is configured. First, a user must be created as described in point 1. The specified e-mail must match that of their Active Directory user. Then the user can log in with their Active Directory user, if this is enabled in the global settings.
-#:# Click on the profile picture or the profile name.
-#:# click on "Change password" in the bottom right corner
+<span id="Benutzerrollen_zuordnen"></span>
-#:# Enter the old and new password and confirm
+=== Assign user roles ===
-#: Change a password as an Administrator or Expert:
-#:# go to "Administration ==> user" and select the desired user
+Under "Administration → User Roles Assignment" it is possible to assign the respective roles for the desired user.
-#:# click on "Change password" in the bottom right corner
-#:# Enter the new password and confirm
+<b>Licenses:</b>
-</div>
+The column headings Experts and Professionals also show how many licenses are currently available and how many are being used. This allows you to see at a glance where you are over-licensed or under-licensed. More information about licenses can be found at [[Special:MyLanguage/Lizenzierung | "Administration → Licensing"]].
+<b>Assign:</b>
+User roles can only be assigned by administrators or experts.
+*Administrators can assign any role.
+*Experts can assign all roles except Administrator and Compliance Manager.
+*The role "Expert" cannot be withdrawn from persons responsible for a management system as long as they are responsible for at least one management system.
+<b>Important:</b> Experts and professionals must be assigned to a management system after user role assignment in order to be able to perform their tasks.
+[[Datei:Benutzerrollen Zuordnung.png|left|thumb|901px|User role assignment]]<br clear=all>
+{| class="wikitable"
+! colspan="3" | <b>Modules for experts, professionals, und observers</b>
+|-
+!M&C
+|Measures and controls
+|part of every license
+|-
+!RM
+|Risk management
+|part of every license
+|-
+!DS
+|Data protection
+|Add-on
+|-
+!AM
+|Audit management
+|Add-on
+|-
+!FM
+|Case management
+|Add-on
+|-
+!DM
+|Doc-Management
+|Add-on
+|-
+!ESG
+|ESG management
+|Add-on
+|-
+!SRM
+|Supplier risk management
+|Add-on
+|}
+=== Change/reset password ===
+<b>Caution:</b> Changing a password only works if the local login is active. That means: either there is no Active Directory configured or Local Login is enabled under Global Settings.
+Change own password:
+# Click on the profile picture or profile name → Profile.
+# click on "Change password" at the bottom right
+# Enter old and new password and confirm
+Change/reset a password as Administrator or Expert:
+# Select the desired user under Administration → User
+# click on "Change password" at the bottom right
+# enter new password and confirm
+: <b>Note:</b> Only administrators can reset passwords of experts. Experts can create and authorize users and they can reset passwords for Professionals and Practitioners. The administrator role can also be assigned to multiple users.
+<span id="Benutzer_deaktivieren"></span>
+=== Disable user ===
+Experts and administrators can deactivate users via the user mask. A deactivated user can no longer be selected in the application.
+In order for a user to be deactivated, all of the user's management system and team memberships do not need to first be canceled. The user is shown as "deactivated" in any management systems and teams they were already a member of.
+When deactivating, there is the option to anonymize the user in the system.
+<b>Caution:</b> The anonymization removes all personal data of the user. This can no longer be undone! If "No" is selected in the deactivation dialog, the user is deactivated but not anonymized.<br>
+<br>
+Alternatively to anonymization, an expert or administrator can pseudonymize the user when deactivating them. This is done by manually changing their username, first and last name, and e-mail address according to a determined logic.
+[[Datei:Profilbild zurücksetzten.png|right|thumb|400px|Reset profile picture]]
+<span id="Profilbild_zurücksetzen"></span>
+=== Reset profile picture ===
+Experts and administrators can reset a user's profile picture by clicking the icon next to the profile picture.
+<br clear=all>