Granular Role-Based Access Control

Context & Problem Statement Currently, users on the platform have broad access to most modules. Multiple enterprise customers (Aqua Global and Aqovia) have requested the ability to "gatekeep" highly sensitive security tools from standard users.

Standard contributors need to work on daily compliance workflows, but they should not have visibility or access to critical security infrastructure, endpoint monitoring, or sensitive risk registers.

Acceptance Criteria (AC)

• Role/Permission Separation: Introduce a new permission toggle or distinct user roles (e.g., Standard Contributor vs. Security Admin) to control module visibility.

• Allowed Access (Standard Users): Users restricted from advanced tools must still retain full access to:

  • View and edit Controls.

  • View and update Tasks.

  • Upload and manage Evidence.

• Restricted Access (Gatekept Modules): The following modules must be hidden from the UI and protected via backend authorization checks (403 Forbidden) for restricted users:

  • Endpoint Monitoring Tools / Penetration Testing.

  • ISMS Dashboard.

  • Risk Register.

  • Incident Management.

• UI Navigation: The sidebar navigation should dynamically hide the links to restricted modules if the authenticated user lacks the required permissions.