Users & Roles Management
AIIA enforces strict Role-Based Access Control (RBAC) and Segregation of Duties (SoD) to ensure audit independence, evidence integrity, and secure tenant data isolation.
User authentication is managed via Single Sign-On (Keycloak), while authorization scopes and role assignments are governed directly in the AIIA administrative portal.
Standard System Roles
AIIA defines seven distinct user personas, each mapped to specific permissions and workflow access levels:
| Role Name | Persona | Primary Responsibilities |
|---|---|---|
| CAE | Chief Audit Executive | Annual planning, resource allocation, audit committee reporting, final sign-off. |
| Audit Manager | Engagement Manager | Engagement setup, budget review, workpaper reviews, finding approval, report drafting. |
| Auditor | Lead/Field Auditor | Fieldwork, testing procedures, sampling execution, evidence collection, CCCER finding drafting. |
| Quality / CA | QA Officer / Control Analyst | Quality reviews, KRI configuration, monitoring exception analysis, compliance audits. |
| Leadership | Board / Executive | Read-only access to executive portfolios, dashboards, and final reports. |
| Audit Client | PBC Contact | Uploading requested evidence documents, responding to findings, and tracking action plans. |
| IT Admin | System Administrator | SSO configuration, RBAC scopes, database connectors, and AI model routing. |
Role-Based Permissions Matrix
The table below outlines the core permissions assigned to each role:
| Feature / Action | CAE | Manager | Auditor | QA | Leadership | Client | Admin |
|---|---|---|---|---|---|---|---|
| Approve Annual Audit Plan | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create Engagement | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Sign Off Workpaper | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Execute Test Procedures | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Draft Findings (CCCER) | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Submit PBC Evidence | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Approve Audit Report | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Configure KRIs & Alerts | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Manage Connectors / SSO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
Segregation of Duties (SoD)
To maintain audit compliance and prevent conflicts of interest, the platform strictly enforces the following SoD rules:
- Preparer vs. Reviewer: The auditor who prepares a workpaper cannot review or sign it off. Workpaper sign-off is restricted to the assigned Engagement Manager or CAE.
- Auditor vs. Auditee: Audit clients are locked out of internal fieldwork, risk assessments, and draft findings. They interact solely through the PBC (Provided By Client) collaboration portal.
- RAG Retrieval Scopes: The RAG-based AI Companion respects RBAC boundaries. The AI retrieves only user-authorized sources based on active session scopes.
User Provisioning & Tenant Assignment
1. Multi-Tenancy Isolation
Every user account is associated with a primary Organization (org_id) and one or more Business Units. Row-Level Security (RLS) dynamically filters all queries based on the user's org_id. Users cannot view or query data from other organizations under any circumstances.
2. Provisioning Steps
- Navigate to Admin → Users.
- Click Add User (which syncs/invites the user profile from Keycloak).
- Assign the user's primary organization tenant and relevant Business Units.
- Select one or more roles (e.g.,
AuditorandQA). - Save the configuration. The user will immediately inherit access permissions upon their next SSO login.