Role overview
- CISO
- Auditor
- Owner
The CISO role has full access across the entire platform. A CISO can:
- Create, edit, and delete records in all sections (clauses, controls, assets, risks, audits, evidence, findings)
- Switch between tenant workspaces
- Access the Clients admin page
- Generate and export reports (Executive Report, SoA PDF)
admin@agencia.comPermissions matrix
| Feature | CISO | Auditor | Owner |
|---|---|---|---|
| View clauses (4–10) | Yes | Yes | Yes |
| Edit requirement states | Yes | No | Yes |
| View Annex A controls | Yes | Yes | Yes |
| Edit control evaluations | Yes | No | Yes |
| View asset inventory | Yes | Yes | Yes |
| Add / edit / delete assets | Yes | No | Yes |
| View risk register | Yes | Yes | Yes |
| Add / edit / delete risks | Yes | No | Yes |
| View audit records | Yes | Yes | Yes |
| Create / edit audits | Yes | No | Yes |
| View evidence library | Yes | Yes | Yes |
| Add / delete evidence | Yes | No | Yes |
| View findings | Yes | Yes | Yes |
| Create / close findings | Yes | No | Yes |
| Generate Executive Report | Yes | Yes | Yes |
| Export SoA PDF | Yes | Yes | Yes |
| Switch tenant workspaces | Yes | No | No |
| Access Clients admin page | Yes | No | No |
Read-only mode for Auditors
When an Auditor logs in, ISOwl sets theisReadOnly flag to true for the session. This flag is checked before rendering any edit control across the application. Buttons, forms, and inline editors that would modify data are hidden or disabled automatically — no additional configuration is required.
Read-only mode applies to the entire session. It cannot be partially lifted for specific sections without changing the user’s role assignment.
Role and tenant type mapping
Each user account has both a role and a tenant type. The tenant type controls whether the user can access multi-tenant features.| Account | Role | Tenant type | Can access /clients |
|---|---|---|---|
admin@agencia.com | CISO | AGENCY | Yes |
owner@cliente.com | OWNER | CLIENT | No |
The Clients page performs a client-side check:
authUser.type === 'AGENCY'. Users with the CLIENT tenant type see an “Acceso Restringido” message and cannot use the page, regardless of their role.Frequently asked questions
Can an Auditor export reports?
Can an Auditor export reports?
Yes. Both the Executive Report PDF and the SoA export are accessible to all roles including Auditor — there is no role-based restriction on the export buttons. Auditors can generate reports for review purposes without being able to modify the underlying data.
Can an Owner manage other client workspaces?
Can an Owner manage other client workspaces?
No. Owner-role users are scoped to their own tenant. They cannot see other client workspaces, switch tenants, or access the Clients admin page.
How do I change a user's role?
How do I change a user's role?
Role assignments are managed in the authentication configuration. Contact your ISOwl administrator to update role assignments for your team.
What happens if an Auditor tries to edit a control?
What happens if an Auditor tries to edit a control?
The edit controls are not rendered for Auditor sessions. If the request reaches the application layer regardless, the
isReadOnly check prevents the state update from being applied.