Version: 1.0.0-beta

Permissions — Findings & Remediation

Access to findings is controlled through RBAC. The principle of least privilege ensures that each role can only perform actions appropriate to their function.

Permission Matrix

Findings

Action	Auditor	Manager	CAE	QA	Client	Viewer
View findings	✅ Own engagements	✅ All	✅ All	✅ All	❌	✅ Read-only
Create findings	✅	✅	✅	❌	❌	❌
Edit draft findings	✅ Own	✅ All	✅ All	❌	❌	❌
Submit for management response	✅	✅	✅	❌	❌	❌
Finalize findings	❌	✅	✅	❌	❌	❌
Close findings	❌	✅	✅	❌	❌	❌
Delete draft findings	❌	✅	✅	❌	❌	❌
Use AI Draft	✅	✅	✅	❌	❌	❌

Action Plans

Action	Auditor	Manager	CAE	Action Owner	Client
Create action plans	❌	✅	✅	❌	❌
View action plans	✅	✅	✅	✅ Own	❌
Mark as Implemented	❌	❌	❌	✅ Own	❌
Upload remediation evidence	✅	✅	✅	✅ Own	❌
Verify action plan	✅	✅	✅	❌	❌
Close action plan	❌	✅	✅	❌	❌

Follow-Up Tests

Action	Auditor	Manager	CAE
Create follow-up tests	✅	✅	✅
Execute and record results	✅	✅	✅
Upload follow-up evidence	✅	✅	✅

Segregation of Duties (SoD)

The creator of a finding cannot also be the reviewer who finalizes it
The action plan owner cannot mark their own plan as Verified — a separate auditor must verify
AI-generated findings always require human approval before leaving DRAFT status

Organization-Level Isolation

Findings are scoped by org_id through the parent engagement. Users can only see findings for engagements within their organization, enforced at the API layer.

API Permission Checks

All RBAC checks are enforced at both API and UI levels:

# API: Every endpoint validates
POST   /api/v1/findings         → requires finding:create
PUT    /api/v1/findings/{id}    → requires finding:update + ownership check
DELETE /api/v1/findings/{id}    → requires finding:delete + status == DRAFT
POST   /api/v1/findings/{id}/close → requires finding:close

Permission Matrix​

Findings​

Action Plans​

Follow-Up Tests​

Segregation of Duties (SoD)​

Organization-Level Isolation​

API Permission Checks​