Account Administrators have full access to all areas, scopes, and modules within KCM GRC. For example, they can create and disable user accounts, convert templates to scopes, and see an overview of key items in your account.

As an Account Administrator, you're presented with a Global Dashboard which provides an overview of your organization's current state of compliance, and other information pertaining to the entire Compliance Management module.

• Add new user accounts
• Create custom templates for scopes
• Convert templates to scopes
• Clone scopes
• Create and update controls
• Create task schedules
• Add/remove mappings between scoped requirements and controls
• Archive and delete items
• View archived items and unarchive items (from the Compliance, Risk Management, and Vendor Management modules)
• Use Custom Reporting

Scope Administrators work in the Compliance Management module and are granted permissions on a per-scope basis. They have access to all data within their allowed scopes, including requirements, controls, tasks, and evidence.

When creating tasks for controls, Scope Administrators can delegate responsibilities to themselves or other users as one of the following:

• User Assigned: Assigned to tasks in order to provide evidence or documentation that the organization is in compliance with the control. This user receives reminder emails based on the due dates of upcoming tasks (see: What is the task reminder email schedule?).
  Note: The User Assigned typically has a Contributor user role (for more information, see, Contributor, below). 
• Approving Manager: Once the assigned user has submitted evidence for a control task, the approving manager determines if the evidence is sufficient. If the evidence is approved (and there is not an assigned Second-level Approving Manager), the task will be closed. If deemed insufficient, Approving Managers can add task notes to inform the user of what is still needed. See: Task Approval Workflows
• Second-level Approving Manager: Responsible for approving evidence—after the Approving Manager has approved the evidence.

• View the Global Dashboard–providing an overview of the scopes that this user has access to (meaning, this user's allowed scopes).
• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.

Under their allowed scope(s), Scope Administrators can:

• View and update scope details (name, description, add tags, and modify evidence permissions)
• Map requirements to a scope (any requirement that exists in your account)
• Unmap requirements from a scope
• Add tags to a requirement
• Complete a Scope Self-Assessment
• Create, view, and edit controls (for scoped requirements)
• Map controls to a scoped requirement (any control that exists in your account)
• Unmap controls from a scoped requirement 
• Add control documents and control notes to a control
• Create one-time tasks and task schedules (see: Working With Task Schedules for Controls)
• Add task notes to a task
• Submit and view task evidence
• View compliance reports under the Metrics page
• View archived scopes (if the scope was an allowed scope) 

Scope Administrators cannot: 

• View or modify items that are outside of their allowed scope(s)
• View modules other than the Compliance Management module
• Create or modify templates
• Convert templates to scopes
• Create scopes
• Clone scopes
• Delete, archive, or unarchive, scopes
• Edit requirements
• Delete requirements
• Delete controls
• Map a control to a risk
• Create or edit other user accounts
• Create user groups
• Edit tasks*
  *Exception: Under our user groups workflow, Scope Administrators can be assigned as a group lead—where they hold special permissions allowing them to reassign their tasks to other users in their group. For more, see: Working With User Groups.

User Experience: Click here to view the KCM GRC navigation panel access for Scope Administrators.

Under the Compliance Management module, Contributor users can access more than the Auditor user role, and less than the Scope Administrator user role. This role is assigned to users for the purpose of completing or approving tasks for controls.

Contributors complete the tasks or approve the tasks that are assigned to them by the Scope Administrator or Account Administrator. Contributors can be assigned to tasks as one of the following:

• User Assigned
• Approving Manager
• Second-level Approving Manager

For more information on the roles for tasks, see Task Approval Workflows. 

• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.

When assigned to a control task as the User Assigned, Approving Manager, or the Second-level Approving Manager, Contributors can:

• View controls (via the View Task page)
• View control documents and control notes
• Add control notes
• View tasks
• View and add task notes
• View and add links or upload documents as evidence for control tasks
• View the files and links that they have already submitted as evidence for control tasks (via the Documents page)

Contributors cannot:

• Create task schedules
• Create or modify controls
• View, create, or modify requirements
• View, create, or modify scopes
• View, create, or edit other user accounts
• Edit tasks*
  *Exception: Under our user groups workflow, Scope Administrators can be assigned as a group lead—where they hold special permissions allowing them to reassign their tasks to other users in their group. For more, see: Working With User Groups.

User Experience: Click here to view the KCM GRC navigation panel access for Contributors.

Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor limited access to the Compliance Management and/or Policy Management modules in your account. Auditors are granted access on a per-scope and per-policy campaign basis.

An Auditor can only see limited data and reports for the scopes and/or policy campaigns they're granted access to. To learn more about what an Auditor can access in your account, see our Guide for Auditors. 

For their allowed scopes:

• View compliance reports under the Metrics page:
  • Detailed Compliance Reports
  • Summary Compliance Reports
• View links and files that have been submitted and approved as evidence for control tasks
• View tasks and task notes
• Leave a task note
• View controls and control notes
• View and edit their user profile

For their allowed policy campaigns:

• View Policy Management Reports under the Metrics page (and from Policy Management > Reports)
• View policy links and PDF documents that are attached to allowed campaigns

User Experience: Click here to view the KCM GRC navigation panel access for Auditors.

• Add end users to the Policy Management module
• Create user groups for policy campaigns and manage user memberships
• Add links to, or upload policy documents
• View, update, modify or delete policies
• Create, view, update, disable, and delete policy campaigns
• View Policy Management reports 

Policy Administrators cannot:

• View data outside of the Policy Management module (with the exception of assigned control tasks)

Campaign Administrators are granted access on a per-policy campaign basis. They have access to all data within their allowed campaigns. They can add and manage end users, monitor campaign progress, and nudge users who have not yet acknowledged policies.

If you want to limit access to some policy campaigns but not all, assign the Campaign Administrator user role.

• Create policy campaigns
• View, manage, update, and disable their allowed campaigns 
• Add end users to the Policy Management module
• Create user groups for policy campaigns and manage user memberships
• Add links to, or upload policy documents
• View, update, and modify policies
• View policy management reports for their allowed campaigns

Campaign Administrators cannot: 

• View campaigns outside of their allowed campaigns
• View data outside of the Policy Management module (with the exception of assigned tasks)
• Delete Campaigns
• Delete policy documents or links
• Delete end users
• Delete groups

End Users are added to KCM GRC only for the purpose of receiving policies by email, as part of policy campaigns. Using the link from the recipient's email, the users read and acknowledge your organization's policies. Policy acknowledgments are recorded in KCM GRC, within the associated policy campaign.

End Users do not log into the KCM GRC platform. They receive policy documents via email, see: User Experience

• Use the Risk Wizard to add risks to the Risk Register
• Use the Risk Register to import/export, modify, archive, and add new risks.
• Add and delete risk tags under Account Settings
• Add, edit, and delete risk categories under Account Settings
• View and import risks in the Risk Templates area
• Create, map, view, and modify controls for risks
• Add control notes
• Create one-time tasks and task schedules for risk controls (see: How Do I create Control Tasks?)
• Add task notes
• View and add links or upload files as evidence for their tasks
• View, upload, and download files submitted as evidence for their tasks
• Export risk control task details in a CSV file format
• View archived risks and controls (Risk Management module only)

Risk Administrators cannot: 

• View data outside of the Risk Management module (with the exception of controls mapped to risk items, and assigned tasks)
• Create or edit other user accounts

• View and interact with the Vendor Management Dashboard
• Add and update vendor profiles from the Vendors Page
• Create Vendor Contacts (i.e., users with a Vendor User role)
• Create, configure, and review questionnaires
• Send questionnaires to vendors
• Archive questionnaires and vendors
• View archived questionnaires and vendors
• Clone questionnaires
• Export questionnaires Review completed vendor questionnaires
• Create questionnaire issues
• View My Dashboard–containing data pertaining to the tasks they're assigned to as the User Responsible or Approving Manager.
• Add task notes to assigned tasks
• View and add links or upload files as evidence for assigned tasks
• View and download files submitted as evidence for assigned tasks
• View archived vendors and questionnaires (Vendor Management module only)

Vendor Administrators cannot: 

• View data outside of the Vendor Risk Management module (with the exception of data pertaining to their assigned tasks)
• Create user accounts (with the exception of Vendor Contacts)
• Edit user accounts (including Vendor User/Vendor Contact accounts)

Vendor Users (also referred to as Vendor Contacts) are added to KCM GRC so they can complete the questionnaires you assign. Vendor Users log in to a separate portal associated with your account. The Vendor Portal is specifically for answering questionnaires and addressing issues resulting from questionnaire responses. Vendor Users do not have access to any other information in your organization's account. 

If you'd like to share an instructional article with your vendors, see our Guide for Vendor Users.

• View the Vendor Dashboard–provides access to assigned questionnaires, questionnaire issues, and any files they've attached to their questionnaire answers
• Add comments and attach files to questionnaire answers
• Import answer template files to quickly respond to questionnaire templates (see more information, here)
• View and respond to issues created by KCM users in response to questionnaire answers

User Experience: Click here to view the KCM GRC navigation panel access for Vendor Users.