What Are the Different User Roles Available for My KCM GRC Platform?
The KCM governance, risk, and compliance platform (KCM GRC) offers a role-based access control (RBAC) model for the various user accounts needed by your organization in order to implement, manage, and carry out workflows in KCM. With this RBAC model, users can complete the job functions required of their role without having access to privileged, or unnecessary information. You can grant multiple user roles to one individual, allowing users to work across the different modules available for your account.
Note: If you grant an Account Administrator user role, then later need to downgrade the user's permissions, you'll need to contact our support team at
support@knowbe4.com in order to do so.
See the table below for a description of each user role, and an outline of the associated privileges.
Compliance User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Account Administrator |
Account Administrators have full access to all areas, scopes, and modules within KCM GRC. For example, they can create and disable user accounts, convert templates to scopes, and see an overview of key items in your account.
As an Account Administrator, you're presented with a Global Dashboard which provides an overview of your organization's current state of compliance, and other information pertaining to the entire Compliance Management module.
|
Account administrators have full access to all areas and workflows in the console. For example, admins can:
- Add new user accounts
- Create custom templates for scopes
- Convert templates to scopes
- Clone scopes
- Create and update controls
- Create task schedules
- Add/remove mappings between scoped requirements and controls
- Archive and delete items
- View archived items and unarchive items (from the Compliance, Risk Management, and Vendor Management modules)
- Use Custom Reporting
- Create scope exports
|
Y |
Scope Administrator |
Scope Administrators work in the Compliance Management module and are granted permissions on a per-scope basis. They have access to all data within their allowed scopes, including requirements, controls, tasks, and evidence.
When creating tasks for controls, Scope Administrators can delegate responsibilities to themselves or other users as one of the following:
- User Assigned: Assigned to tasks in order to provide evidence or documentation that the organization is in compliance with the control. This user receives reminder emails based on the due dates of upcoming tasks (see: Control Task Notifications).
Note: The User Assigned typically has a Contributor user role (for more information, see, Contributor, below).
- Approving Manager: Once the assigned user has submitted evidence for a control task, the approving manager determines if the evidence is sufficient. If the evidence is approved (and there is not an assigned Second-level Approving Manager), the task will be closed. If deemed insufficient, Approving Managers can add task notes to inform the user of what is still needed. See: Task Approval Workflows
- Second-level Approving Manager: Responsible for approving evidence—after the Approving Manager has approved the evidence.
|
- View the Global Dashboard–providing an overview of the scopes that this user has access to (meaning, this user's allowed scopes).
- View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.
Under their allowed scope(s), Scope Administrators can:
- View and update scope details (name, description, add tags, and modify evidence permissions)
- Map requirements to a scope (any requirement that exists in your account)
- Unmap requirements from a scope
- Create requirements
- Add tags to a requirement
- Complete a Scope Self-Assessment
- Create, view, and edit controls (for scoped requirements)
- Map controls to a scoped requirement (any control that exists in your account)
- Unmap controls from a scoped requirement
- Add control documents and control notes to a control
- Create one-time tasks and task schedules (see: Working With Task Schedules for Controls)
- Update tasks (i.e., change the Task Name, Task Description, User Assigned, Approving Manager(s), due date, and evidence requirements)
- Add task notes to a task
- View task evidence
- Submit task evidence
- View compliance reports under the Metrics page
- Create scope exports
- View archived scopes (if the scope was an allowed scope)
Scope Administrators cannot:
- View or modify items that are outside of their allowed scope(s)
- View modules other than the Compliance Management module
- Create or modify templates
- Convert templates to scopes
- Create scopes
- Clone scopes
- Delete, archive, or unarchive, scopes
- Edit requirements
- Delete requirements
- Delete controls
- Map a control to a risk
- Complete tasks (unless they are the User Assigned)
- Create, edit, or view other user accounts
- Create, edit, or view user groups
User Experience: Click here to view the KCM GRC navigation panel access for Scope Administrators.
|
Y |
Contributor |
Under the Compliance Management module, Contributor users can access more than the Auditor user role, and less than the Scope Administrator user role. This role is assigned to users for the purpose of completing or approving tasks for controls.
Contributors complete the tasks or approve the tasks that are assigned to them by the Scope Administrator or Account Administrator. Contributors can be assigned to tasks as one of the following:
- User Assigned
- Approving Manager
- Second-level Approving Manager
For more information on the roles for tasks, see Task Approval Workflows.
|
- View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.
When assigned to a control task as the User Assigned, Approving Manager, or the Second-level Approving Manager, Contributors can:
- View controls (via the View Task page)
- View control documents and control notes
- Add control notes
- View tasks
- View and add task notes
- View and add links or upload documents as evidence for control tasks
- Complete tasks (only if they are the User Assigned)
- View the files and links that they have already submitted as evidence for control tasks (via the Documents page)
Contributors cannot:
- Create task schedules
- Create or edit controls
- View, create, or edit requirements
- View, create, or edit scopes
- View, create, or edit other user accounts
- Edit tasks*
*Exception: Under our user groups workflow, Contributors can be assigned as a group lead—where they hold special permissions allowing them to reassign their tasks to other users in their group. For more, see: Working With User Groups.
User Experience: Click here to view the KCM GRC navigation panel access for Contributors.
|
Y |
Auditor |
Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor limited access to the Compliance Management and/or Policy Management modules in your account. Auditors are granted access on a per-scope and per-policy campaign basis.
An Auditor can only see limited data and reports for the scopes and/or policy campaigns they're granted access to. To learn more about what an Auditor can access in your account, see our Guide for Auditors.
|
For their allowed scopes:
- View compliance reports under the Metrics page:
- Detailed Compliance Reports
- Summary Compliance Reports
- View links and files that have been submitted and approved as evidence for control tasks
- View tasks and task notes
- Leave a task note
- View controls and control notes
- View and edit their user profile
For their allowed policy campaigns:
- View Policy Management Reports under the Metrics page (and from Policy Management > Reports)
- View policy links and PDF documents that are attached to allowed campaigns
User Experience: Click here to view the KCM GRC navigation panel access for Auditors.
|
N |
Policy Management User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Policy Administrator |
Policy Administrators have full access to all objects (i.e., campaigns, groups, users, policies, etc.) within the Policy Management module. Policy Administrators can add end users, create user groups, and create and manage all policy campaigns. For more information, see our Policy Management article. |
Policy Administrators cannot:
- View data outside of the Policy Management module (with the exception of assigned control tasks)
|
Y |
Campaign Administrator |
Campaign Administrators are granted access on a per-policy campaign basis. They have access to all data within their allowed campaigns. They can add and manage end users, monitor campaign progress, and nudge users who have not yet acknowledged policies.
If you want to limit access to some policy campaigns but not all, assign the Campaign Administrator user role.
|
- Create policy campaigns
- View, manage, update, and disable their allowed campaigns
- Add end users to the Policy Management module
- Create user groups for policy campaigns and manage user memberships
- Add links to, or upload policy documents
- View, update, and modify policies
- View policy management reports for their allowed campaigns
Campaign Administrators cannot:
- View campaigns outside of their allowed campaigns
- View data outside of the Policy Management module (with the exception of assigned tasks)
- Delete Campaigns
- Delete policy documents or links
- Delete end users
- Delete groups
|
Y |
End User |
End Users are added to KCM GRC only for the purpose of receiving policies by email, as part of policy campaigns. Using the link from the recipient's email, the users read and acknowledge your organization's policies. Policy acknowledgments are recorded in KCM GRC, within the associated policy campaign.
|
End Users do not log into the KCM GRC platform. They receive policy documents via email, see: User Experience
|
N |
Risk Management User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Risk Administrator |
Risk Administrators have full access to all areas and items within the Risk Management module (i.e., Risk Templates, Risk Register, Risk Wizard, etc.). For more information, see our Risk Management: Overview article. |
- View My Dashboard–containing data pertaining to the control tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager. If the Risk Administrator is not assigned to tasks, My Dashboard will not contain data.
- Use the Risk Wizard to add risks to the Risk Register
- From the Risk Register area, create and import new risks; edit, archive, and export existing risks
- From the Account Settings area, add, edit, and delete custom categories for the Risk Register
- View and import risks to the Risk Templates area
- View archived risks and controls (only controls mapped to risks)
- Create, map/unmap, view, and modify controls for risks
Under controls that are mapped to risks, Risk Administrators can:
Under the controls for which they have assigned tasks, Risk Administrators can:
- Update tasks
- Add task notes
- Add links and upload files as evidence for tasks
- View and download files that have been submitted as evidence or as control documents (from the Documents page and View Task page)
Risk Administrators cannot:
- View data outside of the Risk Management module (with the exception of controls mapped to risk items, and assigned tasks)
- Complete tasks (unless they are the User Assigned)
- Create or edit other user accounts
|
Y |
Vendor Risk Management User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Vendor Administrator |
Vendor Administrators have full access to all areas (i.e., Vendor Dashboard, Vendors, Questionnaires, etc.) and items within the Vendor Risk Management module. For more information on this module, see our Vendor Risk Management Introduction Guide. |
- View and interact with the Vendor Management Dashboard
- Add and update vendor profiles from the Vendors Page
- Create Vendor Contacts (i.e., users with a Vendor User role)
- Create, configure, and review questionnaires
- Send questionnaires to vendors
- Archive questionnaires and vendors
- View archived questionnaires and vendors
- Clone questionnaires
- Export questionnaires Review completed vendor questionnaires
- Create questionnaire issues
- View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Responsible or Approving Manager.
- Add task notes to assigned tasks
- View and add links or upload files as evidence for assigned tasks
- View and download files submitted as evidence for assigned tasks
- View archived vendors and questionnaires (Vendor Management module only)
Vendor Administrators cannot:
- View data outside of the Vendor Risk Management module (with the exception of data pertaining to their assigned tasks)
- Create user accounts (with the exception of Vendor Contacts)
- Edit user accounts (including Vendor User/Vendor Contact accounts)
|
Y |
Vendor User |
Vendor Users (also referred to as Vendor Contacts) are added to KCM GRC so they can complete the questionnaires you assign. Vendor Users log in to a separate portal associated with your account. The Vendor Portal is specifically for answering questionnaires and addressing issues resulting from questionnaire responses. Vendor Users do not have access to any other information in your organization's account.
If you'd like to share an instructional article with your vendors, see our Guide for Vendor Users.
|
- View the Vendor Dashboard–provides access to assigned questionnaires, questionnaire issues, and any files they've attached to their questionnaire answers
- Add comments and attach files to questionnaire answers
- Import answer template files to quickly respond to questionnaire templates (see more information, here)
- View and respond to issues created by KCM users in response to questionnaire answers
User Experience: Click here to view the KCM GRC navigation panel access for Vendor Users.
|
N |
Back to top
Creating New Users: Selecting User Roles
For additional information on the user roles, our User Role Use Cases may help you determine which roles are the best fit for your organization's objectives in your GRC platform.
If you'd like instructions for adding new users to your platform, please see the Creating New Users section of our Working with Users article.
Back to top
Comments
0 comments
Article is closed for comments.