Due the sensitivity of complaints and the protection of complainers, the Anti-corruption commission guarantees that information provided is held and treated with the utmost confidentiality. Secured access of these grievances is of upmost important. The public Complainers) expect the system to protect integrity and confidentiality of their identity information and ensure safety of the information provided.


Hence the GRM provides comprehensive Identity and Access Management (IdAM) System that will provide secure access to its resources in integrated and secured manner and at the same protect privacy of the users.  User’s identities & roles are at the core of any operation. Roles need to be managed to facilitate the right access to the right resources. The Figure below shows the general framework of the identity and life cycle management that has been implemented



Access Management


Access Management involves (i) Authentication, (ii) Authorization, (iii) Auditing and reporting

Authentication


Users will be required login in the system with a username and password


Authorizations


User’s entitlements for accessing the particular resource shall be determined against the permissions configured on that resource. Authorization will be implemented through role based access control  


Role based access


A role will be defined as Administrator, Manager, Creator, Editor, View, etc. These roles will then be mapped to application permissions such as create, Edit, delete, View record / file / table / database etc. Administrator will be able to create the roles and assign permissions to these roles.


Audit and Reporting

This provides functions to monitor access management events and changes to directory objects.


Audit trail of following activities are maintained: (i) User activities; (ii) Access violations; (iii) Authentication events; (iv) Authorization events, (v) Changes to database objects.


Required audit records will be produced and kept for an agreed period to assist future investigations and access control monitoring.


Password Policy


There is no password policy developed at the moment – this shall be provided after a review of the ICT policy for ACC


Resources Classification


Level of sensitivity of data will be assigned when it is created, changed, enhanced, stored or transmitted. Classification of information will be done as


  • Public domain
  • Restricted
  • Private


All information and assets associated with information processing facilities are to be “owned” by a designated part of the organization and rules for the acceptable use of these will be identified at the time of information generation itself.


Modules of the IdAM


Adding and deleting users


This consists of adding user account, deleting user account and to temporarily lock or unlock a user account


Adding, editing and deleting user roles


This consists of adding user group, editing user group, deleting user group. While editing user groups, system should make changes accordingly for all user assigned to that particular user group. System should not allow deleting user group, in case any user has been assigned to the selected user group.


Adding user to a role, removing user from the role,


This consists of adding users and removing users from a group

Manage User Roles

The ability to manage users, their properties and user roles.

Permissions management


Configuring resources and assigning Create/Delete/View/Edit/query permissions resources



The following roles, may be configured in the system


Roles

View

Edit/create

GRM System Administrator

Everything

Everything

Complainers

  • Can see all records that have the same access group as the creator whether published or unpublished.
  • If it is desired that the creator does not see some progress records for whatever reason, then a different access group should be assigned to the specific progress record. This might be the case where a progress record is intended solely for other Grievance administrators or staff members.
  • Can raise grievances
  • The creator has to be logged in to be able to edit a grievance.
  • Cannot edit previous progress records.
  • Can provide progress information

Grievance Administrator,

Includes (ACC Report Center &

Grievance Redress Officer)

  • Can see all progress records,



  • Can raise grievances
  • Can create/edit/delete cases, actions, progress information & resolutions
  • Can accept/reject grievances
  • Cannot edit previous progress records.
  • Can edit all other grievance records

Entity Manager (ACC National SSN Coordinator, for ACC and Grievance Redress Officer for NaCSA)

As Grievance Administrator for a particular Entity only

As Grievance Administrator for a particular Entity only

ACC National SSN Coordinator

  • Can see all records


  • Can edit all other grievance records

NaCSA District Coordinators,

ACC Committee Management,

SP Secretariat


  • Can see all progress records provided staff member has the appropriate access group assigned to them.
  • Cannot edit previous progress records.
  • Can raise grievances
  • Can provide progress records which have an access group that matches one of those of the staff member.


ACC District Coordinators & Regional Offices

  • Can see all progress records provided staff member has the appropriate access group assigned to them.
  • Cannot edit previous progress records.
  • Can raise grievances
  • Can provide progress records which have an access group that matches one of those of the staff member.


Civil Society Organization Monitors

  • Can see all progress records provided staff member has the appropriate access group assigned to them.
  • Cannot edit previous progress records.
  • Can raise grievances
  • Can provide progress records which have an access group that matches one of those of the staff member.


Local Councilors

  • Can see all progress records that are published, marked as public and which have an access group which matches that of the registered user.

Cannot see progress records marked 'private'.

  • No editing possible.


Public

  • Views progress records if the component is configured to display progress information, and the progress record is published, has an access group of 'public' assigned.
  • Cannot see progress records marked 'private' or ‘registered’
  • No editing possible.


Logged in Registered User

  • Can see all progress records that are published, marked as public and which have an access group which matches that of the registered user.
  • Cannot see progress records marked 'private'.
  • No editing possible.




Viewing Users on the system


Can be viewed from the User Manager >Users> List Users.


The screen below will be presented



Adding New Users


Follow User Manager >Users> Add New Users



Fill in the Fields respectively.



Permissions


In general, four (4) permissions have been defined. “Create”, “Edit”, “Views”, Delete and List


All permission defined can be viewed from   User Manager >Permissions> List Permissions




Assigning Permissions


Permissions can be assigned from   User Manager >Permissions> Assigning Permissions


Permissions are added to Roles, so if you want to assign any user with permissions, a role must be created then add the user to the role, and give the role the permissions needed



Viewing Permissions assigned to a Role


User Manager >Permissions> Assigning Permissions

Select the View link next to the Role.

Creating Roles


Roles can be created from User Manager >Permissions> Define Roles






Assigning Users to Roles


Permissions can be assigned from   User Manager >Roles> Assign Roles



From the screen below, select the add role button next to the user.





Roles may be assigned from the “edit user’’ screen, using the “access and permissions’ tab






Grievance Redress Management System