Account Administrators have full access to all areas, scopes, and modules within KCM GRC. For example, they can create and disable user accounts, convert templates to scopes, and see an overview of key items in your account.

As an Account Administrator, you're presented with a Global Dashboard which provides an overview of your organization's current state of compliance, and other information pertaining to the entire Compliance Management Module.

• Add new user accounts
• Create custom templates for scopes
• Convert templates to scopes
• Clone scopes
• Create and update controls
• Create task schedules and assign responsibilities to the User Responsible and Approving Manager
• Add/Remove mappings between scope requirements and controls.
• View archived items and unarchive items (from the Compliance, Risk Management, and Vendor Management modules)
• Use Custom Reporting

Scope Administrators work in the Compliance Management Module and are granted permissions on a per-scope basis. They have access to all data within their allowed scope(s), including requirements, controls, tasks, and evidence. For more information on Scope Admin permissions, see our Working with Users article.

When creating tasks for controls, Scope Administrators can delegate responsibilities to themselves or other users, as one of the following:

• User Responsible: Assigned to tasks in order to provide evidence or documentation that the organization is in compliance with the control. The User Responsible receives reminder emails based on the due dates of upcoming tasks (see: What is the task reminder email schedule?). The User Responsible typically has a Contributor user role (see below for more information). 
• Approving Manager: Once the User Responsible has submitted evidence for a control task, the approving manager will determine if the evidence is sufficient, accurate, and complete. If the evidence is approved, the task will be closed, if deemed insufficient, Approving Managers can add task notes to inform the User Responsible of what is still needed. See: How Do I Approve Tasks?

• View the Global Dashboard–providing an overview of your organization's current state of compliance, and other information pertaining to the entire Compliance Management Module.
• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Responsible or Approving Manager.
• Create scopes

Under their allowed scope(s):

• View and update scope details (name, description, and evidence permissions)
• Create, add, view, modify, and archive requirements 
• Complete a Scope Requirements Self-Assessment
• Create, view, and modify controls 
• Add control notes 
• Map controls to and from requirements
• Create one-time tasks and task schedules (see: How Do I create Control Tasks?)
• Add task notes
• View and add DocuLinks as evidence for control tasks
• View, upload, and download files submitted as evidence for control tasks
• View compliance reports under the Metrics page
• Export scopes
• Export requirement details in a CSV file format
• Export control details in a CSV file format
• Export control task details in a CSV file format
• Export evidence details in a CSV file format
• View archived scopes, requirements, and controls (Compliance Management module only)

Scope Administrators cannot: 

• View or modify items that are outside of the allowed scope(s)
• View modules other than the Compliance Management module.
• Create or modify templates
• Convert templates to scopes
• Clone scopes
• Unarchive, archive, or delete scopes
• Delete requirements
• Create or edit other user accounts

User Experience: Click here to view the KCM GRC navigation panel access for Scope Administrators.

The Contributor user role has "mid-level" permissions in the Compliance Management module. Contributor users can access more than an Auditor, and less than a Scope Administrator.

Contributors complete the tasks that are assigned to them by the Scope Administrator or Account Administrator. They can be assigned to tasks as either the User Responsible or Approving Manager.

• If the Contributor is assigned a task as the User Responsible (see, above): They can review controls, control documents,  control notes, and task notes to determine what is required of them in order to satisfy the control. They will upload files or link to evidence that supports the control task.
• If the Contributor is assigned a task as the Approving Manager (see, above): They will review evidence submitted by the User Responsible and close the task once it is satisfied.

When assigned to a control task as the User Responsible or the Approving Manager:

• View controls and control notes
• Add control notes
• View tasks and task notes
• Add task notes
• View and add DocuLinks as evidence for control tasks
• View, upload, and download files submitted as evidence for control tasks
• View requirements (only requirements mapped to a control with a task assigned to the Contributor)
• View My Dashboard–containing data pertaining to the user's tasks
• Export control task details in a CSV file format
• Export evidence details in a CSV file format

Contributors cannot:

• Create new tasks
• Modify one-time tasks or task schedules
• Create or modify controls
• Create or modify requirements
• Create or modify scopes
• Create or edit other user accounts

User Experience: Click here to view the KCM GRC navigation panel access for Contributors.

Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor limited access to the Compliance Management and/or Policy Management modules in your account. Auditors are granted access on a per-scope and per-policy campaign basis. An Auditor can only see limited data and reports for the scopes and/or policy campaigns they're granted access to. For more information about granting Auditor permissions, see our Working with Users article.

For their allowed scopes:

• View compliance reports under the Metrics page:
  • Detailed Compliance Reports
  • Summary Compliance Reports
  • Scope Tasks Gantt
• View or download (approved) DocuLinks and evidence for control tasks
• View tasks and task notes
• Leave a task note
• View controls and control notes
• View and edit their user profile

For their allowed policy campaigns:

• View Policy Management Reports under the Metrics page (and from Policy Management > Reports).
• View policy links and PDF documents that are attached to allowed campaigns

User Experience: Click here to view the KCM GRC navigation panel access for Auditors.

• Add end users to the Policy Management module
• Create user groups for policy campaigns and manage user memberships
• Add links to, or upload policy documents
• View, update, modify or delete policies
• Create, view, update, disable, and delete policy campaigns
• View Policy Management reports 

Policy Administrators cannot:

• View data outside of the Policy Management module (with the exception of assigned control tasks)

User Experience: Click here to view the KCM GRC navigation panel access for Policy Administrators.

Campaign Administrators are granted access on a per-policy campaign basis. They have access to all data within their allowed campaigns. They can add and manage end users, monitor campaign progress, and nudge users who have not yet acknowledged policies.

If you want to limit access to some policy campaigns but not all, assign the Campaign Administrator user role.

• Create policy campaigns
• View, manage, update, and disable their allowed campaigns 
• Add end users to the Policy Management module
• Create user groups for policy campaigns and manage user memberships
• Add links to, or upload policy documents
• View, update, and modify policies
• View Policy Management reports for their allowed campaigns

Campaign Administrators cannot: 

• View campaigns outside of their allowed campaigns
• View data outside of the Policy Management module (with the exception of assigned tasks)
• Delete Campaigns
• Delete policy documents or links
• Delete end users
• Delete groups

User Experience: Click here to view the KCM GRC navigation panel access for Campaign Administrators.

End Users are added to KCM GRC only for the purpose of receiving policies by email, as part of policy campaigns. Using the link from the recipient's email, the users read and acknowledge your organization's policies. Policy acknowledgments are recorded in KCM GRC, within the associated policy campaign.

End Users do not log into the KCM GRC platform. They receive policy documents via email, see: User Experience

• Use the Risk Wizard to add risks to the Risk Register
• Use the Risk Register to import/export, modify, archive, and add new risks.
• Add and delete risk tags under Account Settings
• Add, edit, and delete risk categories under Account Settings
• View and import risks in the Risk Templates area
• Create, map, view, and modify controls for risks
• Add control notes
• Create one-time tasks and task schedules for risk controls (see: How Do I create Control Tasks?)
• Add task notes
• View and add DocuLinks or upload files as evidence for their tasks
• View, upload, and download files submitted as evidence for their tasks
• Export risk control task details in a CSV file format
• View archived risks and controls (Risk Management module only)

Risk Administrators cannot: 

• View data outside of the Risk Management module (with the exception of controls mapped to risk items, and assigned tasks)
• Create or edit other user accounts

User Experience: Click here to view the KCM GRC navigation panel access for Risk Administrators.

• View and interact with the Vendor Management Dashboard
• Add and update vendor profiles from the Vendors Page
• Create Vendor Contacts (i.e., users with a Vendor User role)
• Create, configure, and review questionnaires
• Send questionnaires to vendors
• Archive questionnaires and vendors
• View archived questionnaires and vendors
• Clone questionnaires
• Export questionnaires Review completed vendor questionnaires
• Create questionnaire issues
• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Responsible or Approving Manager.
• Add task notes to assigned tasks
• View and add DocuLinks or upload files as evidence for assigned tasks
• View and download files submitted as evidence for assigned tasks
• View archived vendors and questionnaires (Vendor Management module only)

Vendor Administrators cannot: 

• View data outside of the Vendor Risk Management module (with the exception of data pertaining to their assigned tasks)
• Create user accounts (with the exception of Vendor Contacts)
• Edit user accounts (including Vendor User/Vendor Contact accounts)

User Experience: Click here to view the KCM GRC navigation panel access for Vendor Administrators.

Vendor Users (also referred to as Vendor Contacts) are added to KCM GRC so they can complete the questionnaires you assign. Vendor Users log in to a separate portal associated with your account. The Vendor Portal is specifically for answering questionnaires and addressing issues resulting from questionnaire responses. Vendor Users do not have access to any other information in your organization's account. 

If you'd like to share an instructional article with your vendors, see our Guide for Vendor Users.

• View the Vendor Dashboard–provides access to assigned questionnaires, questionnaire issues, and any files they've attached to their questionnaire answers
• Add comments and attach files to questionnaire answers
• Import answer template files to quickly respond to questionnaire templates (see more information, here)
• View and respond to issues created by KCM users in response to questionnaire answers

User Experience: Click here to view the KCM GRC navigation panel access for Vendor Users.