I noticed if an audit ownership “audit owner” or “audit collaborator” is a group and not a person, then people on the group do not get notified to perform the audit. In addition, on their personal user dashboard they do not see the control. Hence, this becomes problematic. While, in theory we shall have one person as owner of a control, in practice we need to have at least 2 people when counting with holidays, sickness etc. However I do not want to add people directly to controls or audits that will be very tedious. I rather prefer to have groups associate to audits and then update the groups accordingly.
I understand the problem. I have created one group called “read, edit group”, I want the users to read, edit but not delete. Then I also have associated a logical group such as “infosec team” or “data team” for these groups all permissions are denied. Finally, I added to an user the “read, edit group” + a logical group. However if I associate one of these logical groups to a control, he will see nothing due to permissions.
I did such design because if I need to create different logical groups with the same permissions the job is very tedious and takes a lot of time (accepting and denning permission by permission in the ACL), there is no clone option to duplicate groups and respective permissions.
In summary, groups are working as intended. I am doing a bad design due to the tedious work of going permission by permission. Hence, I missing a cloning option to facilitate the creation of new groups. Creating 10 groups with the same permissions will take hours instead of few seconds if cloned and tweaked. Is this something we could add in a future release?