Permissions and Roles Matrix
Use this guide to assign access in a way that supports daily work while protecting sensitive records. Give each person the lowest level of access they need to complete their responsibilities, then review assignments regularly as teams and duties change.
Permission Guidance
| Role | View | Create | Edit | Approve | Delete | Export | Recommended assignment |
|---|---|---|---|---|---|---|---|
| Customer Administrator | All areas assigned to the organization | Administrative records, teams, and configuration items | Most records, except where approval independence is required | Administrative approvals and emergency access changes | Limited to records that are no longer needed and have no active work | Reports needed for governance and oversight | A small number of trusted administrators who manage access, settings, and oversight |
| Compliance Manager | Assessments, policies, controls, issues, findings, evidence, and reports | Assessments, policy reviews, issues, findings, and remediation plans | Compliance records within their responsibility | Compliance reviews, policy acknowledgements, and closure recommendations | Rarely; only duplicate or obsolete compliance records | Compliance reports for leadership and auditors | Leads responsible for governance programs and review cycles |
| Risk Manager | Risks, controls, treatments, exceptions, incidents, assets, vendors, and reports | Risks, treatments, exceptions, and risk reviews | Risk records and treatment plans | Risk acceptance, treatment approval, and exception recommendations | Rarely; only duplicate or obsolete risk records | Risk registers and leadership summaries | Risk owners, enterprise risk leads, and control oversight teams |
| Business Owner | Records related to their business area | Risks, issues, exceptions, assets, vendors, and supporting information | Records they own or are asked to update | Business acceptance, owner sign-off, and action completion | Not recommended | Limited to their own area when required | Department heads, process owners, and service owners |
| Assessor | Assigned assessments, evidence requests, controls, and findings | Evidence notes, assessment observations, and draft findings | Assigned assessment responses and evidence details | Not recommended for their own assessment work | Not recommended | Assessment workpapers for assigned scope when permitted | Internal reviewers, control testers, and assessment teams |
| Approver | Items routed to them for decision | Comments, approval notes, and requested clarification | Limited fields needed to complete review | Approval, rejection, request for changes, or acceptance | Not recommended | Decision records where needed | Managers and leaders accountable for formal decisions |
| Contributor | Assigned tasks and records they support | Updates, evidence, comments, and task responses | Their own submissions before final review | Not recommended | Not recommended | Not recommended unless needed for their role | Staff who provide evidence, updates, and action responses |
| Read-Only User | Information shared with them | Not recommended | Not recommended | Not recommended | Not recommended | Usually not recommended; allow only for reporting duties | Executives, observers, temporary reviewers, and audit support |
Module Permission Notes
| Area | Recommended Access Pattern |
|---|---|
| Assessment evidence reuse | Assessors and control owners can reuse mapped evidence only for controls they are responsible for. Compliance managers may need broader assessment update rights to support reassignment, correction, or quality review. |
| Evidence upload | Upload rights should be limited to users who provide or manage evidence. Reuse rights do not replace evidence upload rights when a new file is required. |
| Assessment approval | The person assessing a control or providing evidence should not be the only person approving the assessment. |
| Audit findings | Auditors should create and verify findings. Remediation owners should respond and provide evidence, but should not self-verify closure. |
| Linked assessment controls | Users creating assessment-based findings should have enough audit access to create findings and enough assessment visibility to select the exact failed assessment control. |
Segregation-of-Duties Notes
| Area | Recommended separation |
|---|---|
| Access administration | The person granting access should not be the only person reviewing whether that access remains appropriate. |
| Risk acceptance | The person creating or updating a risk should not be the sole approver of accepting the risk. |
| Policy approval | The policy author should not be the only final approver of the policy. |
| Assessment completion | The person providing evidence should not be the only person confirming that the evidence is sufficient. |
| Exception approval | The person requesting an exception should not be the sole approver of that exception. |
| Issue closure | The person completing remediation should not be the only person confirming closure. |
| Deletion rights | Delete access should be limited and reviewed often because it can remove useful history. |
| Export rights | Export access should be limited to users who have a clear business need to handle records outside the workspace. |
Common Mistakes
| Mistake | Why it creates risk | Better practice |
|---|---|---|
| Giving administrator access to too many users | Broad access increases the chance of accidental changes and unclear accountability. | Keep administrator access limited to named owners and review it regularly. |
| Allowing one person to create and approve the same item | Independent review is weakened. | Assign approval to a different accountable owner whenever possible. |
| Using one shared account for a team | Activity cannot be tied to a specific person. | Give each user their own account and role. |
| Leaving access active after role changes | Users may retain access they no longer need. | Review access after transfers, departures, and changes in responsibility. |
| Granting export access by default | Exported information is harder to control. | Allow export only for users with reporting, audit, or leadership responsibilities. |
| Using delete instead of close, archive, or mark inactive | Deletion can remove context needed for reviews. | Preserve history unless removal is clearly approved and appropriate. |
| Assigning approver rights without clear accountability | Decisions may be delayed or made by the wrong person. | Match approver rights to documented ownership and decision authority. |
| Giving contributors edit access to final records | Final records can change after review. | Limit contributors to assigned tasks, evidence, and comments. |
Review Rhythm
Review role assignments at least quarterly and whenever a person changes job responsibilities. Pay special attention to administrator, approver, delete, and export permissions because those rights carry the highest operational impact.