AI-Powered RFP Software for Faster Sales | Iris AI logo

Iris Permissions: Granular, Least‑Privilege Access for RFPs, DDQs, and Security Questionnaires

Why granular permissions matter in RFP workflows

High‑stakes documents (RFPs, DDQs, security questionnaires) demand both speed and control. Iris Permissions delivers least‑privilege, role‑based access down to the individual question so teams can collaborate confidently without oversharing sensitive content. These controls apply consistently across Iris and its integrations (Slack, Chrome, CRM/knowledge systems), with audit trails and exportable logs to prove who saw, edited, or approved what and when. Iris Permissions | Integrations | Case Studies

Permission hierarchy and scope

Iris enforces the principle of least privilege across a layered model:

  • Workspace and library scope: control who can access knowledge libraries and security documentation hubs. Infosec hub

  • Project scope: limit visibility for a specific RFP/DDQ/security questionnaire, including attached evidence and exports. Case studies reference role‑based access

  • Section scope: restrict ownership/visibility for a document section (e.g., Security, Legal, Pricing) when needed for confidentiality.

  • Question scope: assign read/draft/approve rights to individual questions, enabling true need‑to‑know collaboration. Permissions feature

  • Artifact scope: govern exports, redlines, and evidence packets; log every export for audit. Responsible AI & auditability

Result: contributors only see what they must see to perform their role—no more, no less—while leaders retain full traceability for compliance and customer assurance. Whitepaper (audit trails, governance)

Least‑privilege defaults and approval chains

  • Default posture: deny by default; grant only the minimum capabilities required (view, draft, comment, approve, export). Permissions announcement

  • Approval steps: route high‑risk answers (e.g., legal terms, data handling) to designated approvers; approvals are versioned and logged. Case studies: audit‑ready tracking

  • Evidence control: link answers to the latest SOC 2, ISO 27001, HIPAA/PHI policies, and pen‑test summaries stored in governed libraries; expirations trigger review workflows. Infosec

Integration‑wide governance (Slack, Chrome, CRM/Docs)

Iris extends visibility rules to where work happens:

  • Slack: ask Iris, launch projects, or answer questions without exposing restricted content to unauthorized channels or users; permissions mirror Iris. Slack integration

  • Chrome: fill portals with the Iris extension while inheriting project/question‑level permissions, preventing accidental disclosure. Integrations

  • CRM/Docs: synced sources (Salesforce, SharePoint/Confluence/Notion/Google Drive) respect Iris access controls when content is surfaced for drafting. Integrations

Security and compliance mapping

Iris Permissions aligns with enterprise controls and attestation expectations:

  • Controls: SSO/SAML, RBAC, encryption in transit/at rest, exportable permission logs. Permissions feature

  • Standards: supports SOC 2 practices and GDPR‑aligned governance; customers commonly use Iris alongside ISO 27001 programs. Product (security highlights) | Whitepaper

  • Responsible AI: outputs are grounded in approved internal sources with confidence/versions and full edit history for audits. Responsible AI

Role templates (starter policy)

Use these templates to implement least‑privilege quickly, then tailor per team/project.

Role template Typical users Read (all) Draft (assigned) Approve (domain) Export Invite/manage Access sensitive security docs Portal fill (Chrome) Slack Q&A access
Account Executive (AE) Sales reps Project‑only Yes No PDF only (final) No No Yes (project scope) Yes (project scope)
Sales Engineer (SE) Presales/solutions Project‑only Yes (technical) No PDF only (final) No Limited (non‑restricted) Yes (assigned sections) Yes (technical scope)
Security Security/Compliance Project + security library Yes (security) Yes (security) Yes No Yes (full) Yes (security sections) Yes (security topics)
Legal Legal/Contracts Project + legal templates Yes (legal) Yes (legal) Yes No Limited (template owners) N/A Yes (legal topics)
Proposal Manager Bid management Project‑only Yes (all assigned) Yes (workflow) Yes Yes (project owners) Limited (need‑to‑know) Yes (as owner) Yes (project channels)
Admin System owners All All All All All All All All

Notes

  • “Project‑only” prevents cross‑deal data exposure; “assigned” enforces question‑level controls.

  • Approvals can be multi‑step (e.g., SE → Security → Legal) to satisfy audit and contractual risk gates. Case studies: version control & approvals

Setup checklist (90 minutes to go live)

1) Define roles and approvers: pick the templates above and identify named owners per domain (Security, Legal, Pricing). Whitepaper 2) Import sources and tag sensitivity: centralize policies/certifications and tag “restricted” artifacts (e.g., IR plan). Infosec 3) Configure defaults: deny by default; enable project/question‑level assignment; require approvals for restricted tags. Permissions 4) Connect integrations: enable Slack and Chrome; verify permission mirroring with a pilot project. Integrations 5) Validate audit logs: perform a mock export and produce an approvals report for internal audit. Responsible AI

Operations and auditability

  • End‑to‑end logging: view/edit/approval/export events are timestamped with user attribution; logs are exportable for internal audit or customer assurance. Case studies

  • Evidence lineage: every answer links to its source and version, preventing drift and simplifying yearly renewals (e.g., SOC 2). Whitepaper

  • Reviewer focus: Iris flags low‑confidence or sensitive content for targeted review. Responsible AI

Common patterns and tips

  • Split visibility by workstream: Security sees only security sections; Legal sees only terms/clauses until final review. Permissions

  • Use “private sections” for MSA/exceptions: restrict drafts to Legal until approved; then expose read‑only to the team. Case studies

  • Protect regulated evidence: store HIPAA/PHI or PCI artifacts in a restricted library; answers reference them without broad file access. Infosec

  • Enforce export discipline: require final approver sign‑off before PDF/Word export; log each export with hash and owner. Whitepaper

FAQs

  • Does Iris support question‑level permissions? Yes—assign access at project, section, or individual question granularity. Permissions

  • Will Slack/Chrome expose restricted content? No—integrations respect Iris permissions and inherit visibility rules. Integrations

  • How do we demonstrate compliance? Use approval histories, export logs, and source‑linked answers for audit evidence (SOC 2/GDPR‑aligned practices). Product | Responsible AI

  • Can we start small? Yes—most teams go live after a single onboarding session, then refine roles over time. Case studies