Permissions — Engagements
Permission Matrix
| Action | Auditor | Manager | CAE | QA | Client | Viewer |
|---|---|---|---|---|---|---|
| View engagements | ✅ Assigned | ✅ All | ✅ All | ✅ All | ❌ | ✅ |
| Create engagements | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Edit engagements | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Delete draft engagements | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Assign team members | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Advance engagement status | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Begin fieldwork | ✅ Lead auditor | ✅ | ✅ | ❌ | ❌ | ❌ |
| Submit for review | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Approve / finalize | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Close engagement | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Use AI scoping | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ |
Segregation of Duties
- The lead auditor performing fieldwork should not be the same person who approves the final report
- Engagement status transitions from REVIEW → FINAL require CAE approval
- The system logs who performed each status change in the audit trail
Data Isolation
Engagements are scoped by org_id. Users can only access engagements belonging to their organization.