RBAC · Role-based access control

Give everyone exactly the access they need. Nothing more.

RBAC lets you control precisely what each person can see and do across the whole platform: which modules they reach, which records they touch, whether they can edit or only read. Bring an external auditor in on a scoped, read-only view that hides everything confidential. Separate who can act from who can approve on sensitive work. And turn least-privilege from a policy you assert into a control you can actually evidence.

Module, object, scope, and tag level controlRead-only access for auditors and stakeholdersLeast-privilege you can demonstrate to an auditor

What is RBAC in Acuna?

RBAC is Acuna's role-based access control. It is delivered through access profiles: named permission templates that decide which modules a user sees, what they can do with each type of record (edit, read-only, own-records-only, or hidden), which scopes and tags they are limited to, and whether their whole view is read-only. You can give an external auditor a scoped, read-only profile that hides confidential records, restrict a department manager to their own area, or grant a board member a read-only overview, all without touching anyone else's access. Access control runs as one consistent layer across every module, so permissions do not drift between tools.

Access is usually all or nothing. That's the problem.

Most teams face a choice between locking someone out and handing them the keys to everything. So the external auditor gets a login that sees confidential records they have no business reading, the department manager sees every other department's risks, and the board member who wanted a summary can edit live data.

The alternative, a spreadsheet of who-can-see-what maintained by hand, drifts out of date the day it is written. RBAC replaces both with precise, consistent control: each person sees exactly their slice, and you can prove it.

The right access, safely granted, and provable.

Profile · External Auditor

Read-only modeOn
Confidential tagconfidentialHidden
ScopeScoped

Let auditors and outsiders in without exposing everything.

Give an external auditor a read-only profile scoped to what they need, with confidential records hidden by tag. They see enough to do the audit and nothing they should not, without you building a sanitised copy of your data.

Supplier risk actions

Evaluate assessmentRisk analyst
Set supplier ratingRisk manager only
Send to vendorRisk manager only
Export dataAdmin only

Separate duties on sensitive work.

On third-party risk, control who can evaluate an assessment, who can set a supplier's rating, who can send to a vendor, and who can export data, as separate permissions. The person who runs an evaluation need not be the person who signs off the rating.

Scope · Dept. Manager

Engineering scope
Finance scopehidden
HR scopehidden
Legal scopehidden

Scope people to their own area.

Restrict a department manager to their scope, so they work their own risks, controls, and assets without seeing, or changing, anyone else's.

Least-privilege evidence

ISO 27001A.5.15 Access control
SOC 2CC6.3 Logical access
NIS2Art. 21 Access policy

Configured · consistent · evidenceable

Make least-privilege a control, not a claim.

Access control is itself a requirement under ISO 27001, SOC 2, and NIS2. Because Acuna's RBAC is configured and consistent, least-privilege becomes something you can show an auditor, not just assert in a policy.

Five levers, per profile.

An access profile sets, for the people assigned to it:

01

Module visibility.

Which parts of the platform a person reaches. Unselected modules disappear from their navigation entirely.

02

Record-level access.

For each type of record, risks, controls, assets, suppliers, and the rest, choose whether the user can edit, view read-only, work only with records they own, or not see that type at all.

03

Scope restrictions.

Lock a user to specific scopes. Their view stays inside the allowed scopes and cannot be widened.

04

Tag restrictions.

Limit a user to records carrying certain tags, or hide records carrying certain tags. A common pattern is hiding everything tagged confidential from external users.

05

Read-only mode.

A view-everything-permitted, change-nothing setting that overrides every other toggle, for auditors, reviewers, and stakeholders who should look but not touch.

Action-level control on third-party risk

Where the work is sensitive, control goes deeper than view-or-edit. On supplier risk, individual actions, evaluating an assessment, rating a supplier, sending to a vendor, exporting data, managing evidence, are each their own permission, so you can separate duties on the work that carries the most exposure.

Templates that match real situations.

Build profiles for the access patterns every regulated team runs into: an external auditor on a read-only, confidential-hidden view; a department manager scoped to their own area; a board or executive stakeholder on a read-only overview; a read-only reviewer who validates without editing. Assign a profile to a person in one step, change it in one step, and a person with no profile keeps the access their base role allows.

External Auditor

Read-only · confidential hidden · scoped

Department Manager

Own scope only · edit within area

Board Stakeholder

Read-only overview · no edit

Read-only Reviewer

View all permitted · change nothing

One access layer, not a permission set per tool.

In a stack of separate tools, every tool has its own permission model, and they drift apart, which is how the auditor who was offboarded in one system keeps access in another. Because Acuna is one connected platform, RBAC is one consistent layer across every module and every record type. Access you grant or revoke applies everywhere at once.

The platform's AI assistant respects the same boundaries: it never surfaces a record a user could not already reach themselves. One model, applied consistently, is easier to govern and easier to prove.

Connected to:AikoSupplier ShieldPlatform overview

Built for the people accountable for access.

CISO / Head of Security

Enforce least-privilege and separate duties programme-wide.

Configure least-privilege across the whole programme and separate duties on sensitive work, with a configuration you can show an auditor as evidence of access control.

Compliance / Audit Team

Bring external auditors in safely and satisfy framework requirements.

Give external auditors a scoped, read-only view safely, and satisfy the access-control requirements of ISO 27001, SOC 2, and NIS2 with the same mechanism.

Platform Administrator

Manage who sees and does what from one place.

Manage who sees and does what from one place, without hand-maintained permission spreadsheets that fall out of date.

Common questions about RBAC.

See access control done in one layer.

Get a demoSee the platform →