Account Administrators have full access to all areas, scopes, and modules within KCM GRC. For example, they can create and disable user accounts, convert templates to scopes, and see an overview of key items in your account.

As an Account Administrator, you're presented with a Global Dashboard which provides an overview of your organization's current state of compliance, and other information pertaining to the entire Compliance Management module.

• Add new user accounts
• Create custom templates for scopes
• Convert templates to scopes
• Clone scopes
• Create, upload, and update controls
• Create task schedules
• Add/remove mappings between scoped requirements and controls
• Archive and delete items
• View archived items and unarchive items (from the Compliance, Risk Management, and Vendor Management modules)
• Use Custom Reporting
• Create Scope Exports
• Download Policy Templates
• Create Data Exports

Scope Administrators work in the Compliance Management module and are granted permissions on a per-scope basis. They have access to all data within their allowed scopes, including requirements, controls, tasks, and evidence.

When creating tasks for controls, Scope Administrators can delegate responsibilities to themselves or other users as one of the following:

• User Assigned: Assigned to tasks in order to provide evidence or documentation that the organization is in compliance with the control. This user receives reminder emails based on the due dates of upcoming tasks (see: Control Task Notifications).
  Note: The User Assigned typically has a Contributor user role (for more information, see, Contributor, below). 
• Approving Manager: Once the assigned user has submitted evidence for a control task, the approving manager determines if the evidence is sufficient. If the evidence is approved (and there is not an assigned Second-level Approving Manager), the task will be closed. If deemed insufficient, Approving Managers can add task notes to inform the user of what is still needed. See: Task Approval Workflows
• Second-level Approving Manager: Responsible for approving evidence—after the Approving Manager has approved the evidence.

• View the Global Dashboard–providing an overview of the scopes that this user has access to (meaning, this user's allowed scopes).
• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.

Under their allowed scope(s), Scope Administrators can:

• View and update scope details (name, description, add tags, and modify evidence permissions)
• Map requirements to a scope (any requirement that exists in your account)
• Unmap requirements from a scope
• Create requirements
• Add tags to a requirement
• Complete a Scope Self-Assessment
• Create, view, and edit controls (for scoped requirements)
• Map controls to a scoped requirement (any control that exists in your account)
• Unmap controls from a scoped requirement 
• Add control documents and control notes to a control
• View and export tasks
• Create one-time tasks and task schedules (see: Working With Task Schedules for Controls)
• Update tasks (i.e., change the Task Name, Task Description, User Assigned, Approving Manager(s), due date, and evidence requirements)
• Add task notes to a task
• View task evidence
• Submit task evidence
• View compliance reports under the Metrics page
• Create scope exports
• Export Controls and Scoped Requirements
• View archived scopes (if the scope was an allowed scope) 

Scope Administrators cannot: 

• View or modify items that are outside of their allowed scope(s)
• View modules other than the Compliance Management module
• Create or modify templates
• Convert templates to scopes
• Create scopes
• Clone scopes
• Delete, archive, or unarchive, scopes
• Edit requirements
• Delete requirements
• Delete controls
• Map a control to a risk
• Complete tasks (unless they are the User Assigned)
• Create, edit, or view other user accounts
• Create, edit, or view user groups

User Experience: Click here to view the KCM GRC navigation panel access for Scope Administrators.

Under the Compliance Management module, Contributor users can access more than the Auditor user role, and less than the Scope Administrator user role. This role is assigned to users for the purpose of completing or approving tasks for controls.

Contributors complete the tasks or approve the tasks that are assigned to them by the Scope Administrator or Account Administrator. Contributors can be assigned to tasks as one of the following:

• User Assigned
• Approving Manager
• Second-level Approving Manager

For more information on the roles for tasks, see Task Approval Workflows. 

• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.

When assigned to a control task as the User Assigned, Approving Manager, or the Second-level Approving Manager, Contributors can:

• View controls (via the View Task page)
• View control documents and control notes
• Add control notes
• View their assigned tasks
• View and add task notes to their assigned tasks
• View and add links or upload documents as evidence for control tasks
• Complete tasks (only if they are the User Assigned)
• View the files and links that they have already submitted as evidence for control tasks (via the Documents page)

Contributors cannot:

• Create task schedules
• Create or edit controls
• View, create, or edit requirements
• View, create, or edit scopes
• View, create, or edit other user accounts
• Edit tasks*
  *Exception: Under our user groups workflow, Contributors can be assigned as a group lead—where they hold special permissions allowing them to reassign their tasks to other users in their group. For more, see: Working With User Groups.

User Experience: Click here to view the KCM GRC navigation panel access for Contributors.

Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor limited access to the Compliance Management and/or Policy Management modules in your account. Auditors are granted access on a per-scope and per-policy campaign basis.

An Auditor can only see limited data and reports for the scopes and/or policy campaigns they're granted access to. To learn more about what an Auditor can access in your account, see our Guide for Auditors. 

For their allowed scopes:

• View compliance reports under the Metrics page:
  • Detailed Compliance Reports
  • Summary Compliance Reports
• On the Documents page, view evidence links and files for control tasks that have been satisfied and closed
• View tasks and task notes
• Leave a task note
• View controls and control notes
• View and edit their user profile

For their allowed policy campaigns:

• View Policy Management Reports under the Metrics page (and from Policy Management > Reports)
• View policy links and PDF documents that are attached to allowed campaigns

User Experience: Click here to view the KCM GRC navigation panel access for Auditors.

• Add end users to the Policy Management module
• Create user groups for policy campaigns and manage user memberships
• Download Policy Templates
• Add links to, or upload policy documents
• View, update, modify or delete policies
• Create, view, update, disable, and delete policy campaigns
• View Policy Management reports 
• Export CSV files for the policy campaign list, policy list, and individual campaigns
• View and export their assigned tasks

Policy Administrators cannot:

• View data outside of the Policy Management module (with the exception of assigned control tasks)

Campaign Administrators are granted access on a per-policy campaign basis. They have access to all data within their allowed campaigns. They can add and manage end users, monitor campaign progress, and nudge users who have not yet acknowledged policies.

If you want to limit access to some policy campaigns but not all, assign the Campaign Administrator user role.

• Create policy campaigns
• View, manage, update, and disable their allowed campaigns 
• Add end users to the Policy Management module
• Create user groups for policy campaigns and manage user memberships
• Download Policy Templates
• Add links to, or upload policy documents
• View, update, and modify policies
• View policy management reports for their allowed campaigns
• Export CSV files for the following (for their allowed campaigns): policy list, policy campaign list, and individual campaigns
• View and export their assigned tasks

Campaign Administrators cannot: 

• View campaigns outside of their allowed campaigns
• View data outside of the Policy Management module (with the exception of assigned tasks)
• Delete Campaigns
• Delete policy documents or links
• Delete end users
• Delete groups

End Users are added to KCM GRC only for the purpose of receiving policies by email, as part of policy campaigns. Using the link from the recipient's email, the users read and acknowledge your organization's policies. Policy acknowledgments are recorded in KCM GRC, within the associated policy campaign.

End Users do not log into the KCM GRC platform. They receive policy documents via email, see: User Experience

• View My Dashboard–containing data pertaining to the control tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager. If the Risk Administrator is not assigned to tasks, My Dashboard will not contain data.
• Use the Risk Wizard to add risks to the Risk Register
• From the Risk Register area, create and import new risks; edit, archive, and export existing risks
• From the Account Settings area, add, edit, and delete custom categories for the Risk Register
• View and import risks to the Risk Templates area
• View archived risks and controls (only controls mapped to risks)
• Create, map/unmap, view, and modify controls for risks
  • Note: When mapping controls to a risk, Risk Administrators can view and map any control in your account.

Under controls that are mapped to risks, Risk Administrators can:

• Clone controls
• Add control notes
• Create one-time tasks and task schedules for controls (see: Working with Task Schedules for Controls)
• View and export tasks

Under the controls for which they have assigned tasks, Risk Administrators can:

• Update tasks
• Add task notes 
• Add links and upload files as evidence for tasks
• View and download files that have been submitted as evidence or as control documents (from the Documents page and View Task page)

Risk Administrators cannot: 

• View data outside of the Risk Management module (with the exception of controls mapped to risk items, and assigned tasks)
• Complete tasks (unless they are the User Assigned)
• Create or edit other user accounts

• View and interact with the Vendor Management Dashboard
• Add and update vendor profiles from the Vendors Page
• Create Vendor Contacts (i.e., users with a Vendor User role)
• Create, configure, and review questionnaires
• Send questionnaires to vendors
• Archive questionnaires and vendors
• View archived questionnaires and vendors
• Clone questionnaires
• Export questionnaires
• Review and export completed vendor questionnaires
• Create questionnaire issues
• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Responsible or Approving Manager.
• View and export their assigned tasks
• Add task notes to assigned tasks
• View and add links or upload files as evidence for assigned tasks
• View and download files submitted as evidence for assigned tasks
• Export the Vendor Issue List and the Vendor List
• View archived vendors and questionnaires (Vendor Management module only)

Vendor Administrators cannot: 

• View data outside of the Vendor Risk Management module (with the exception of data pertaining to their assigned tasks)
• Create user accounts (with the exception of Vendor Contacts)
• Edit user accounts (including Vendor User/Vendor Contact accounts)

Vendor Users (also referred to as Vendor Contacts) are added to KCM GRC so they can complete the questionnaires you assign. Vendor Users log in to a separate portal associated with your account. The Vendor Portal is specifically for answering questionnaires and addressing issues resulting from questionnaire responses. Vendor Users do not have access to any other information in your organization's account. 

If you'd like to share an instructional article with your vendors, see our Guide for Vendor Users.

• View the Vendor Dashboard–provides access to assigned questionnaires, questionnaire issues, and any files they've attached to their questionnaire answers
• Add comments and attach files to questionnaire answers
• Import answer template files to quickly respond to questionnaire templates (see more information, here)
• View and respond to issues created by KCM users in response to questionnaire answers

User Experience: Click here to view the KCM GRC navigation panel access for Vendor Users.