Profile · External Auditor
Read-only modeOn
Confidential tagconfidentialHidden
ScopeScoped
Let auditors and outsiders in without exposing everything.
Give an external auditor a read-only profile scoped to what they need, with confidential records hidden by tag. They see enough to do the audit and nothing they should not, without you building a sanitised copy of your data.
Supplier risk actions
✓Evaluate assessmentRisk analyst
Set supplier ratingRisk manager only
Send to vendorRisk manager only
Export dataAdmin only
Separate duties on sensitive work.
On third-party risk, control who can evaluate an assessment, who can set a supplier's rating, who can send to a vendor, and who can export data, as separate permissions. The person who runs an evaluation need not be the person who signs off the rating.
Scope · Dept. Manager
●Engineering scope
○Finance scopehidden
○HR scopehidden
○Legal scopehidden
Scope people to their own area.
Restrict a department manager to their scope, so they work their own risks, controls, and assets without seeing, or changing, anyone else's.
Least-privilege evidence
ISO 27001A.5.15 Access control✓
SOC 2CC6.3 Logical access✓
NIS2Art. 21 Access policy✓
Configured · consistent · evidenceable
Make least-privilege a control, not a claim.
Access control is itself a requirement under ISO 27001, SOC 2, and NIS2. Because Acuna's RBAC is configured and consistent, least-privilege becomes something you can show an auditor, not just assert in a policy.