Permissions — Audit Universe
Who can do what in the Audit Universe and Library modules.
Permission Matrix
| Action | Admin | CAE | Manager | Auditor | QA | Viewer | Client |
|---|---|---|---|---|---|---|---|
| View universe items | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create universe items | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit universe items | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete universe items | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Archive universe items | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Import (bulk) | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Export | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| View risks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create risks | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit risks | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete risks | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| View controls | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create controls | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit controls | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete controls | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Map risk-control links | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Use AI suggestions | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Apply AI suggestions | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
API Permission Strings
These are the granular permission strings used in the backend RBAC engine:
| Permission | Description |
|---|---|
universe:read | View universe items |
universe:create | Create new universe items |
universe:update | Edit existing universe items |
universe:delete | Delete universe items |
universe:import | Bulk import |
universe:export | Export data |
risk:read | View risk statements |
risk:create | Create risks |
risk:update | Edit risks |
risk:delete | Delete risks |
control:read | View controls |
control:create | Create controls |
control:update | Edit controls |
control:delete | Delete controls |
ai:suggest | Request AI suggestions |
ai:apply | Apply AI suggestions to records |
Data Isolation
All audit universe data is isolated by organization through:
- API Layer —
PermissionCheckerdependency validates role and org membership - Query Layer —
OrgScopedQueryautomatically filters byorg_id - Database Layer — PostgreSQL Row-Level Security (RLS) policies enforce isolation
warning
Users can never access universe items from another organization, regardless of their role. This is enforced at the database level.
Audit Trail
Every action in the Audit Universe module generates an AuditLogEvent:
| Action | Event Logged |
|---|---|
| Create entity | CREATE on AuditUniverseItem with all field values |
| Edit entity | UPDATE on AuditUniverseItem with before/after diff |
| Delete entity | DELETE on AuditUniverseItem with archived record |
| Risk create/edit/delete | Corresponding events on Risk |
| Control create/edit/delete | Corresponding events on Control |
| Import | IMPORT on AuditUniverseItem with count and results |
| Export | EXPORT on AuditUniverseItem with export parameters |
| AI suggestion request | AI_ACTION with request details and model used |
| AI suggestion applied | AI_ACTION with applied changes and confidence score |