Users

Strict Mode and granular access control


title: Strict Mode and granular access control description: Advanced role-based access control per compliance object in Tidal Control sidebar_position: 3

Strict Mode and granular access control

What is Strict Mode?

Strict Mode is an advanced security setting in Tidal Control that implements granular access control at object level. Instead of global rights, users only get access to specific controls, assets and risks they are explicitly assigned to.

Difference with standard mode:

  • Standard mode - Regular Users can see and edit all compliance objects, and can contribute to all tasks
  • Strict Mode - Regular Users can only work on objects they have explicit rights to
  • Zero-trust principle - No access unless explicitly granted
  • Enhanced security - Ideal for large organizations with sensitive compliance data

Recognizing Strict Mode indicator

You can see if your organization uses Strict Mode via the green "Strict Mode" indicator at the top right of the Tidal Control interface next to "Ask TidalBot".

Strict mode indicator

When to use Strict Mode:

  • Large organizations with many departments and compliance objects
  • Sensitive compliance data requiring compartmentalization
  • Regulatory requirements for data access control
  • Multi-tenant environments within one organization
  • Strict audit requirements for access to compliance information
Turn on Strict Mode?

Send an email to support@tidalcontrol.com and we'll set it up for you. Additional license costs apply to using Strict Mode.

Understanding object-level roles

In Strict Mode, users get two layers of roles: global user roles AND object-specific roles per control, asset or risk.

Global user roles (unchanged)

Read Only User:

  • Can view assigned objects
  • No execution rights on any object
  • No object assignment possible

Regular User:

  • Can be assigned to specific objects
  • Execution rights depending on object-level role
  • Only sees assigned objects

Super User:

  • Full access to all objects (bypass Strict Mode)
  • Can assign object-level roles to other users
  • Manages Strict Mode configuration

Object-level roles (Strict Mode specific)

In Strict Mode the following additional rights are applied to Regular Users.

These rights can be set per compliance object (control, risk, asset).

Viewer:

  • Read-only access to the specific object
  • Can view object details and consult historical data
  • No changes possible to object or related tasks
  • No contribution to tests or evidence collection
Info

The Viewer role is still in development and cannot yet be assigned. Use the Read-only user-level role for this.

Executor:

  • Everything from Viewer plus execution rights
  • Automatically gets Contributor role on new execution tasks**
  • Can thus:
    • upload evidence and update task status
    • Post messages in object discussions
    • Cannot modify object or delete

Assessor:

  • Everything from Viewer plus assessment rights
  • Automatically gets Contributor role on new assessment tasks**
  • Can thus:
    • upload evidence and update task status
    • Post messages in object discussions
    • Cannot modify object or delete

Owner:

  • Everything from Contributor plus management rights
  • Create, modify and delete object
  • Schedule tasks and set deadlines
  • Assign other users to the object
  • Full responsibility for object lifecycle

Example scenario: Control A.01 "Information Security Policy"

Alice (Viewer):

  • ✅ Can view control details
  • ✅ Can see implementation status
  • ✅ Can view historical changes
  • ❌ Cannot execute tasks
  • ❌ Cannot upload evidence
  • ❌ Cannot modify control

Bob (Executor):

  • ✅ Everything Alice can do
  • ✅ Can execute execution tasks
  • ✅ Can upload evidence and post messages
  • ✅ Can update implementation status
  • ❌ Cannot modify control configuration
  • ❌ Cannot assign other users

Charlie (Owner):

  • ✅ Everything Bob can do
  • ✅ Can modify control configuration
  • ✅ Can schedule tasks and set deadlines
  • ✅ Can assign other users as Viewer or Contributor
  • ✅ Can archive or delete control
Tip

Use Plans to automate role assignment to tasks.

Assigning object-level roles

Assigning roles as Super User

Access to role management:

  1. Go to the specific object (Control, Asset, or Risk)
  2. Open "Details" section in object sidebar
  3. Navigate to the correct role Owner or Contributor
  4. Select users from the organization list
  5. Choose object-level role per user (Executor, Assessor, Owner)
  6. Confirm assignment to grant access

Bulk role assignment

Efficient assignment for multiple objects:

  1. Navigate to the overview page of the relevant object (control, risk and/or asset)
  2. Select all relevant objects with checkboxes on left in overview
  3. Relevant buttons appear at top of table
  4. Choose "Assign to" and choose a user from the list
  5. The user now has Owner role on all selected objects

Rights inheritance and hierarchy

Asset-Control relationships

When an Asset is linked to Controls:

  • Asset Owner automatically gets Viewer rights on linked Controls
  • Control Owner automatically gets Viewer rights on linked Assets
  • Explicit roles override inherited rights
  • Changes in links automatically update rights

Control-Task relationships

When a Task is linked to Controls:

  • Control Owner automatically gets Owner rights on linked Tasks
  • Control Executor automatically gets Contributor rights on linked execution tasks
  • Control Assessor automatically gets Contributor rights on linked assessment tasks
  • Explicit roles override inherited rights
  • Changes in links automatically update rights
Info

The same applies to Asset-Task relationships

Next steps

Now that you understand Strict Mode:

  • Evaluate organizational need for granular access control
  • Design role strategy based on business requirements
  • Plan gradual implementation with pilot groups
  • Develop governance procedures for ongoing role management
  • Train team managers on their access control responsibilities