KCM GRC offers a role-based access control (RBAC) model for the user accounts that your organization uses to implement, manage, and perform workflows in your platform. The RBAC model allows you to assign user roles to your users so that they can only access the information that they need to perform their responsibilities. This model prevents users from having access to privileged or unnecessary information. You can assign multiple user roles to users who need to perform multiple responsibilities or work in different modules of your platform.
To learn how to create users accounts and assign user roles, see the Creating User Accounts section of our How to Create and Manage KCM GRC User Accounts article. To learn how to modify a user's user roles, see the Updating User Account Details section of our How to Create and Manage KCM GRC User Accounts article.
To learn about the user roles that we offer and the use cases for each user role, see the sections below.
Descriptions and Privileges
For a description of each user role and an outline of the user role's privileges, see the table below:
Compliance User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Account Administrator |
Account Administrators have full access to all areas, scopes, and modules within KCM GRC. For example, Account Administrators can create and disable user accounts, convert templates to scopes, and view an overview of key items in your account.
As an Account Administrator, you can access the Global Dashboard, which provides an overview of your organization's current state of compliance and other information for the Compliance Management module.
|
Account Administrators have full access to all areas and workflows in the console. For example, Account Administrators can perform the actions listed below:
- Modify the Account Settings.
- Add new user accounts.
- Modify user roles.
- Create custom templates for scopes.
- Convert templates to scopes.
- Clone scopes.
- Create, upload, and update controls.
- Create task schedules.
- Add and remove mappings between scoped requirements and controls.
- Archive and delete items.
- View archived items and unarchive items from the Compliance Managament, Risk Management, and Vendor Management modules.
- Use custom reporting.
- Create scope exports.
- Download policy templates.
- Download plan templates.
- Create data exports.
|
Y |
Scope Administrator |
Scope Administrators work in the Compliance Management module and are granted permissions on a individual-scope basis. Scope Administrators have access to all data within their allowed scopes, including requirements, controls, tasks, and evidence.
When creating tasks for controls, Scope Administrators can delegate responsibilities to themselves or other users as one of the following:
-
User Assigned: The User Assigned typically has the Contributor user role and is assigned to tasks. The User Assigned can provide evidence or documentation that the organization is compliant with a control. This user receives email notifications based on the due dates of upcoming tasks. For more information, see our How to Monitor and Complete Tasks article.
-
Approving Manager: Once the User Assigned has submitted evidence for a control task, the Approving Manager determines if the evidence is sufficient. If the evidence is approved and a Second-level Approving Manager is not assigned to the task, the task will be closed. If the evidence is marked as insufficient, Approving Managers can add task notes to inform the user about the additional information needed to complete the task. For more information, see our Task Approval Workflow article.
-
Second-level Approving Manager: The Second-level Approving Manager is responsible for approving evidence, after the Approving Manager has approved the evidence.
|
- View the Global Dashboard, which displays an overview of their allowed scopes.
- View the My Dashboard, which displays data for the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.
Under their allowed scope(s), Scope Administrators can perform the actions listed below:
- View and update scope details (name, description, add tags, and modify evidence permissions)
- Map requirements to a scope (any requirement that exists in your account)
- Unmap requirements from a scope
- Create requirements.
- Add tags to a requirement.
- Complete a scope self-assessment.
- Create, view, and edit controls for scoped requirements.
-
Map any controls that exist in your account to a scoped requirement.
-
Unmap controls from a scoped requirement.
- Add control documents and control notes to a control.
- View and export tasks.
- Create one-time tasks and task schedules. For more information, see our How to Work with Tasks and Task Schedules for Controls article.
- Update tasks, including changing the Task Name, Task Description, User Assigned, Approving Managers, due date, and evidence requirements.
- Add notes to a task.
- View task evidence.
- Submit task evidence.
- View compliance reports under the Metrics page.
- Create scope exports.
- Export controls and scoped requirements.
- View archived scopes if the scope was an allowed scope.
Scope Administrators cannot perform the actions listed below:
- View or modify items that are outside of their allowed scopes.
- View modules other than the Compliance Management module.
- Create or modify templates.
- Convert templates to scopes.
- Create scopes.
- Clone scopes.
- Delete, archive, or unarchive, scopes.
- Edit requirements.
- Delete requirements.
- Delete controls.
- Map controls to risks.
- Complete tasks, unless they are the User Assigned.
- Create, edit, or view other user accounts.
- Create, edit, or view user groups.
|
Y |
Contributor |
Under the Compliance Management module, Contributor users can access more than the Auditor user role, and less than the Scope Administrator user role. This role is assigned to users for the purpose of completing or approving tasks for controls.
Contributors complete the tasks or approve the tasks that are assigned to them by the Scope Administrator or Account Administrator. Contributors can be assigned to tasks as one of the following:
- User Assigned
- Approving Manager
- Second-level Approving Manager
For more information on the roles for tasks, see Task Approval Workflows.
|
- View the My Dashboard, which displays data for the tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager.
When assigned to a control task as the User Assigned, Approving Manager, or the Second-level Approving Manager, Contributors can perform the following actions:
- View controls from the View Task page.
- View control documents and control notes.
- Add control notes.
- View their assigned tasks.
- View and add task notes to their assigned tasks.
- View and add links or upload documents as evidence for control tasks.
- Complete tasks if they are the User Assigned.
- View the files and links that they have already submitted as evidence for control tasks by viewing the Documents page.
Contributors cannot perform the actions listed below:
- Create task schedules.
- Create or edit controls.
- View, create, or edit requirements.
- View, create, or edit scopes.
- View, create, or edit other user accounts.
- Edit tasks, unless they are assigned as the Group Lead for the task. Group Leads have special permissions that allow them to reassign their tasks to other users in their group. For more information, see our How to Work with User Groups article.
|
Y |
Auditor |
Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor limited access to the Compliance Management and/or Policy Management modules in your account. Auditors are granted access on a per-scope and per-policy campaign basis.
An Auditor can only see limited data and reports for the scopes and/or policy campaigns they're granted access to. To learn more about what an Auditor can access in your account, see our Guide for Auditors.
|
For their allowed scopes Auditors can perform the actions listed below:
- View the following compliance reports under the Metrics page:
- Detailed Compliance Reports
- Summary Compliance Reports
- On the Documents page, view evidence links and files for control tasks that have been Satisfied and Closed.
- View tasks and task notes.
- Leave a task note.
- View controls and control notes.
- View and edit their user profile.
For their allowed policy campaigns Auditors can perform the actions listed below:
- View Policy Management Reports under the Metrics page and from Policy Management > Reports.
- View policy links and PDF documents that are attached to allowed campaigns.
|
N |
Policy Management User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Policy Administrator |
Policy Administrators have full access to all objects (i.e., campaigns, groups, users, policies, etc.) within the Policy Management module. Policy Administrators can add end users, create user groups, and create and manage all policy campaigns. For more information, see our Policy Management Module Guide. |
- Add end users to the Policy Management module.
- Create user groups for policy campaigns and manage user memberships.
- Download policy templates.
- Download plan templates.
-
Add links to, or upload policy documents.
- View, update, modify or delete policies.
- Create, view, update, disable, and delete policy campaigns.
- View Policy Management reports.
- Export CSV files for the policy campaign list, policy list, and individual campaigns.
- View and export their assigned tasks.
Policy Administrators cannot perform the actions listed below:
- View data outside of the Policy Management module, with the exception of control tasks that are assigned to them.
|
Y |
Campaign Administrator |
Campaign Administrators are granted access on a per-policy campaign basis. They have access to all data within their allowed campaigns. They can add and manage end users, monitor campaign progress, and nudge users who have not yet acknowledged policies.
If you want to limit access to some policy campaigns but not all, assign the Campaign Administrator user role.
|
- Create policy campaigns.
- View, manage, update, and disable their allowed campaigns.
- Add end users to the Policy Management module.
- Create user groups for policy campaigns and manage user memberships.
- Download policy templates.
- Download plan templates.
-
Add links to, or upload policy documents.
- View, update, and modify policies.
- View policy management reports for their allowed campaigns.
- For their allowed campaigns, export CSV files of the policy list, policy campaign list, and individual campaigns.
- View and export their assigned tasks.
Campaign Administrators cannot perform the actions listed below:
- View campaigns outside of their allowed campaigns.
- View data outside of the Policy Management module, with the exception of tasks that are assigned to them.
- Delete Campaigns.
- Delete policy documents or links.
- Delete policy management users.
- Delete policy management groups.
|
Y |
End User |
End Users are added to KCM GRC only for the purpose of receiving policies by email, as part of policy campaigns. Using the link from the recipient's email, the users read and acknowledge your organization's policies. Policy acknowledgments are recorded in KCM GRC, within the associated policy campaign.
|
End Users do not log into the KCM GRC platform. Instead, end users receive policy documents in their emails. For more information, see the User Experience section of our Policy Management Module Guide.
|
N |
Risk Management User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Risk Administrator |
Risk Administrators have full access to all areas and items within the Risk Management module (i.e., Risk Templates, Risk Register, Risk Wizard, etc.). For more information, see our Risk Management Module Guide. |
- View the My Dashboard, which displays data for the control tasks they're assigned to as the User Assigned, Approving Manager, or Second-level Approving Manager. If the Risk Administrator is not assigned to tasks, the My Dashboard will not contain any data.
- Use the Risk Wizard to add risks to the Risk Register.
- From the Risk Register area, create and import new risks and edit, archive, and export existing risks.
- From the Account Settings area, add, edit, and delete custom categories for the Risk Register.
- View and import risks to the Risk Templates page.
- View archived risks and archived controls that are mapped to risks.
- Create, map, unmap, view, and modify controls for risks.
Under controls that are mapped to risks, Risk Administrators can perform the actions listed below:
Under the controls that Risk Administrators are assigned to tasks for, they can perform the actions listed below:
- Update tasks.
- Add notes to tasks.
- Add links and upload files as evidence for tasks.
- View and download files that have been submitted as evidence or as control documents, from the Documents page and the. View Task page.
Risk Administrators cannot perform the actions listed below:
- View data outside of the Risk Management module, with the exception of tasks that are assigned to them and controls that are mapped to risk items.
- Complete tasks, unless they are the User Assigned.
- Create or edit other user accounts.
|
Y |
Vendor Risk Management User Role |
Definition |
Privileges |
Licensed User (Y/N) |
Vendor Administrator |
Vendor Administrators have full access to all areas (i.e., Vendor Dashboard, Vendors, Questionnaires, etc.) and items within the Vendor Risk Management module. For more information on this module, see our Vendor Risk Management Introduction Guide. |
- View and interact with the Vendor Dashboard.
- Add and update vendor profiles from the Vendors Page.
- Create Vendor Contacts, which are users that are assigned a Vendor User user role.
-
Create, configure, and review questionnaires.
-
Send questionnaires to vendors.
- Archive questionnaires and vendors.
- View archived questionnaires and vendors.
-
Clone questionnaires.
-
Export questionnaires.
-
Review and export completed vendor questionnaires.
- Create questionnaire issues.
- View the My Dashboard, which displays data for the tasks they're assigned to as the User Responsible or Approving Manager.
- View and export their assigned tasks.
- Add notes to assigned tasks.
- View and add links or upload files as evidence for assigned tasks.
- View and download files submitted as evidence for assigned tasks.
- Export a vendor issues list and a vendor list.
- View archived vendors and questionnaires.
Vendor Administrators cannot perform the actions listed below:
- View data outside of the Vendor Risk Management module, with the exception of data for tasks that are assigned to them.
- Create user accounts, with the exception of Vendor Contacts.
- Edit user accounts, including users who are assigned the Vendor User user role.
|
Y |
Vendor User |
Vendor Users (also referred to as Vendor Contacts) are added to KCM GRC so they can complete the questionnaires you assign. Vendor Users log in to a separate portal associated with your account. The Vendor Portal is specifically for answering questionnaires and addressing issues resulting from questionnaire responses. Vendor Users do not have access to any other information in your organization's account.
If you'd like to share an instructional article with your vendors, see our Guide for Vendor Users.
|
- View the Vendor Dashboard, which allows them to access their assigned questionnaires, questionnaire issues, and any files they've attached to questionnaires.
- Add comments and attach files to questionnaire answers.
- Import answer template files to quickly respond to questionnaire templates. For more information, see see more information, see the Importing Answers with Assessment Tools section of our Guide for Vendor Users.
- View and respond to issues created by KCM users in response to questionnaire answers.
|
N |
Use Cases
The use cases in the table below can help you decide which user roles to assign to members of your organization.
See the table below for examples of actions that each user role typically performs:
User Role
|
Responsibilities
|
Account Administrator |
For examples of actions that an Account Administrator can perform, see the list below:
- Create templates and scopes that contain your organization's necessary governance requirements or objectives.
- Use reporting features to monitor and assess your organization's state of compliance.
- Create user accounts and assign user roles.
|
Scope Administrator
|
For examples of actions that a Scope Administrator can perform, see the list below:
- Create internal controls for the requirements in a scope, or map the requirements to existing controls.
- Create task schedules and delegate tasks for meeting control objectives.
- Monitor adherence to compliance controls.
- Create and monitor response plans for audit findings.
|
Contributor |
For examples of actions that a Contributor can perform, see the list below:
|
Policy Administrator |
For examples of actions that a Policy Administrator can perform, see the list below:
- Add and update your organization's policies.
-
Distribute policies to employees and track acknowledgments.
|
Campaign Administrator |
For examples of actions that a Campaign Administrator can perform, see the list below:
- Distribute policies to employees and track acknowledgments.
|
Risk Administrator
|
For examples of actions that a Risk Administrator can perform, see the list below:
|
Auditor
|
For examples of actions that an Auditor can perform, see the list below:
- Review control evidence from the Documents page.
- Review controls and tasks using the compliance and scope reports found under the Metrics page.
|
Vendor Administrator
|
For examples of actions that a Vendor Administrator can perform, see the list below:
|