When Paramify evaluates how a component is implemented, it looks at the people responsible for making that component work end-to-end. One of those people is the Integrator.
What Is an Integrator?
The Integrator acts as the bridge between an upstream vendor component and the end users who ultimately adopt it. The Integrator role is triggered when a component has end user responsibilities for complete adoption, meaning the component cannot simply be licensed or installed and left alone. Someone at your organization actively configures the component for the adoption of other entities.
In Paramify's Solution Capability function structure, the Integrator holds the Main Component Role and owns the Core Process — the hands-on work that makes the component functional in your environment.
When Does It Apply?
Integrators appear on a Solution Capability when all three of the following are true:
- A vendor or third party provides the underlying component
- Your organization must actively integrate or configure it (not just consume it)
- End users are required to adopt it as part of completing the control
Common examples include identity providers like Okta SSO (where IT integrates the component system-specifically and employees must authenticate through it) and customer-facing portals built on third-party auth services like Auth0 (where your team integrates the component and customers adopt it).
How It Affects Risk Treatment
When the Integrator flag is set, Paramify distributes responsibility across multiple parties and assigns a Share Mitigation risk treatment. The exact structure depends on the other settings on the component:
| Rule | Parties | Typical scenario |
|---|---|---|
| Leveraged Component with Integrator | Vendor + Integrator + End User | Vendor supplies the component; your org integrates it system-specifically; end users adopt it (e.g., Corporate IT Okta SSO). |
| Customer Managed Leveraged Component with Integrator | Vendor + Integrator + End User | Same as above, but the component is also customer-configured (e.g., Auth0 Customer Portal where customers must configure their side). |
| Service Provider Component with Integrator | Provider + End User | Your org owns and runs the component; an end user is identified at intake for adoption responsibility (e.g., a GRC status portal). |
In all cases, the Integrator's solution capability origination is Service Provider System Specific, meaning the integration work is owned by your organization and scoped to the specific system being documented.
See Detailed Explanation of Risk Treatment Rules
NOTE
The Integrator is always your organization (the service provider), never the vendor and never the customer. If the customer is the one configuring the component, use the Customer Configured or Customer Provided flags instead.
Integrator vs. Provider vs. End User
| Role | Who | Responsibility |
|---|---|---|
| Integrator | Your organization (service provider) | Owns the core process; integrates the component into the system for end user consumption. |
| Provider | Vendor / upstream system | Supplies the component; inherits controls from the leveraged system. |
| End User | Solution end user | Adopts the component; carries adoption responsibility within the system boundary. |
Comments
0 comments
Please sign in to leave a comment.