KCM GRC offers a role-based access control (RBAC) model for the user accounts that your organization uses to implement, manage, and perform workflows in your platform. The RBAC model allows you to assign user roles to your users so that they can only access the information that they need to perform their responsibilities. This model prevents users from having access to privileged or unnecessary information. You can assign multiple user roles to users who need to perform multiple responsibilities or work in different modules of your platform.
To learn how to create users accounts and assign user roles, see the Creating User Accounts section of our How to Create and Manage KCM GRC User Accounts article. To learn how to modify a user's user roles, see the Updating User Account Details section of our How to Create and Manage KCM GRC User Accounts article.
To learn about the user roles that we offer and the use cases for each user role, see the sections below.
Descriptions and Privileges
For a description of each user role and an outline of the user role's privileges, see the table below:
Compliance User Role | Definition | Privileges | Licensed User (Y/N) |
Account Administrator |
Account Administrators have full access to all areas, scopes, and modules within KCM GRC. For example, Account Administrators can create and disable user accounts, convert templates to scopes, and view an overview of key items in your account. As an Account Administrator, you can access the Global Dashboard, which provides an overview of your organization's current state of compliance and other information for the Compliance Management module. |
Account Administrators have full access to all areas and workflows in the console. For example, Account Administrators can perform the actions listed below:
|
Y |
Scope Administrator |
Scope Administrators work in the Compliance Management module and are granted permissions on a individual-scope basis. Scope Administrators have access to all data within their allowed scopes, including requirements, controls, tasks, and evidence. When creating tasks for controls, Scope Administrators can delegate responsibilities to themselves or other users as one of the following:
|
Under their allowed scope(s), Scope Administrators can perform the actions listed below:
Scope Administrators cannot perform the actions listed below:
|
Y |
Contributor |
Under the Compliance Management module, Contributor users can access more than the Auditor user role, and less than the Scope Administrator user role. This role is assigned to users for the purpose of completing or approving tasks for controls. Contributors complete the tasks or approve the tasks that are assigned to them by the Scope Administrator or Account Administrator. Contributors can be assigned to tasks as one of the following:
For more information on the roles for tasks, see Task Approval Workflows. |
When assigned to a control task as the User Assigned, Approving Manager, or the Second-level Approving Manager, Contributors can perform the following actions:
Contributors cannot perform the actions listed below:
|
Y |
Auditor |
Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor limited access to the Compliance Management and/or Policy Management modules in your account. Auditors are granted access on a per-scope and per-policy campaign basis. An Auditor can only see limited data and reports for the scopes and/or policy campaigns they're granted access to. To learn more about what an Auditor can access in your account, see our Guide for Auditors. |
For their allowed scopes Auditors can perform the actions listed below:
For their allowed policy campaigns Auditors can perform the actions listed below:
|
N |
Policy Management User Role | Definition | Privileges | Licensed User (Y/N) |
Policy Administrator | Policy Administrators have full access to all objects (i.e., campaigns, groups, users, policies, etc.) within the Policy Management module. Policy Administrators can add end users, create user groups, and create and manage all policy campaigns. For more information, see our Policy Management Module Guide. |
Policy Administrators cannot perform the actions listed below:
|
Y |
Campaign Administrator |
Campaign Administrators are granted access on a per-policy campaign basis. They have access to all data within their allowed campaigns. They can add and manage end users, monitor campaign progress, and nudge users who have not yet acknowledged policies. If you want to limit access to some policy campaigns but not all, assign the Campaign Administrator user role. |
Campaign Administrators cannot perform the actions listed below:
|
Y |
End User |
End Users are added to KCM GRC only for the purpose of receiving policies by email, as part of policy campaigns. Using the link from the recipient's email, the users read and acknowledge your organization's policies. Policy acknowledgments are recorded in KCM GRC, within the associated policy campaign. |
End Users do not log into the KCM GRC platform. Instead, end users receive policy documents in their emails. For more information, see the User Experience section of our Policy Management Module Guide. |
N |
Risk Management User Role | Definition | Privileges | Licensed User (Y/N) |
Risk Administrator | Risk Administrators have full access to all areas and items within the Risk Management module (i.e., Risk Templates, Risk Register, Risk Wizard, etc.). For more information, see our Risk Management Module Guide. |
Under controls that are mapped to risks, Risk Administrators can perform the actions listed below:
Under the controls that Risk Administrators are assigned to tasks for, they can perform the actions listed below:
Risk Administrators cannot perform the actions listed below:
|
Y |
Vendor Risk Management User Role | Definition | Privileges | Licensed User (Y/N) |
Vendor Administrator | Vendor Administrators have full access to all areas (i.e., Vendor Dashboard, Vendors, Questionnaires, etc.) and items within the Vendor Risk Management module. For more information on this module, see our Vendor Risk Management Introduction Guide. |
Vendor Administrators cannot perform the actions listed below:
|
Y |
Vendor User |
Vendor Users (also referred to as Vendor Contacts) are added to KCM GRC so they can complete the questionnaires you assign. Vendor Users log in to a separate portal associated with your account. The Vendor Portal is specifically for answering questionnaires and addressing issues resulting from questionnaire responses. Vendor Users do not have access to any other information in your organization's account. If you'd like to share an instructional article with your vendors, see our Guide for Vendor Users. |
|
N |
Use Cases
The use cases in the table below can help you decide which user roles to assign to members of your organization.
See the table below for examples of actions that each user role typically performs:
User Role |
Responsibilities |
Account Administrator |
For examples of actions that an Account Administrator can perform, see the list below:
|
Scope Administrator |
For examples of actions that a Scope Administrator can perform, see the list below:
|
Contributor |
For examples of actions that a Contributor can perform, see the list below:
|
Policy Administrator |
For examples of actions that a Policy Administrator can perform, see the list below:
|
Campaign Administrator |
For examples of actions that a Campaign Administrator can perform, see the list below:
|
Risk Administrator |
For examples of actions that a Risk Administrator can perform, see the list below:
|
Auditor |
For examples of actions that an Auditor can perform, see the list below: |
Vendor Administrator |
For examples of actions that a Vendor Administrator can perform, see the list below:
|