Restructure the user permissions architecture to provide granular control over risk review access across multiple platform areas. This enhancement introduces dedicated Risk Review permissions under the My Tasks group, decouples Risk Review module access from the general Risk permissions, and converts obsolete risk review permissions into active, granular controls. The update addresses current inconsistencies where obsolete permissions still control access and the Risk Review module incorrectly uses general Risk permissions instead of dedicated review-specific permissions.

Key Components:

• New "Risk Review" permission added under My Tasks permission group (Administration > Users)
• De-obsolete and restructure existing risk review permissions into four granular levels: View, Create, Edit, Delete
• Decouple Risk Review module access from General.Risks permission
• Update My Tasks visibility to use new Risk Review permission
• Add "Risk review" option to My Tasks Type filter
• Update Risk Review module permission checks to use dedicated review permissions
• Backward compatibility and migration path for existing role configurations

Benefits:

• Provides administrators independent control over risk review access without requiring general Risk module permissions
• Aligns permission structure with other My Tasks items (e.g., Risk Treatment Plan permission pattern)
• Enables organizations to assign risk review responsibilities to users who don't need full Risk module access
• Eliminates confusion from obsolete permissions that still control access
• Improves platform security by enforcing proper permission boundaries
• Addresses multiple SLA tickets (#33608, #33723, #33612) related to permission inconsistencies
• Simplifies role management by clarifying permission purpose and scope
• Ensures consistent permission behavior across My Tasks, Risk Review module, and Type filters

Example Use Case: A compliance officer needs to conduct periodic risk reviews and document findings in My Tasks, but shouldn't have access to view all organizational risks or modify risk data. With the new permission structure, the administrator can grant "Risk Review - View/Edit" permission under My Tasks without providing general Risk module access. The user can see assigned risk reviews in My Tasks, access them through the Type filter, complete their review work, while maintaining appropriate access boundaries. Meanwhile, a risk analyst with full Risk module permissions can still be restricted from deleting completed risk reviews by only granting View/Edit permissions for Risk Reviews.