Skip to content

Roles and Permissions

A role is the the position a user is assigned within Governance Studio.

Permissions are actions a user is granted based on their role.

Key concepts and actions associated with Roles & Permissions include:

There are seven roles in Governance Studio, each designed to support specific functions within your compliance workflow.

RoleRole DescriptionTypical Personas
Organization OwnerManages organization-wide settings, users, indicators, and policies, with full administrative control across all projectsChief Compliance Officer, VP of Engineering, Head of GRC
Project OwnerManages a project’s configuration and membership, including applied policies, indicators, declarations, reviews, and credentialsEngineering Manager, Product Manager, Compliance Manager
Implementation OwnerCreates declarations and submits controls for reviewSenior Engineer, Tech Lead, Compliance Analyst
Implementation ContributorCreates declarations, but cannot submit controls for reviewJunior Engineer, Compliance Associate
Audit OwnerCreates comments, determines compliance outcomes, and issues policy credentialsHead of Compliance, Chief Auditor, Internal Audit Director
Audit ContributorCreates comments, but cannot determine compliance outcomesJunior Auditor, Internal Auditor, Compliance Reviewer
Project ViewerRead-only access to project data; cannot create or modify resourcesExecutive Stakeholder, External Auditor, Board Member
PermissionsPermissions Definition
Manage Organization SettingsManage organization-wide settings and preferences
Manage Organization UsersAdd and remove users, and assign roles within the organization
Create ProjectsCreate projects within the organization
Archive ProjectsArchive projects within the organization
Manage Project MembersAdd and remove project members, and assign roles within the project
Create PoliciesCreate or upload policies for the organization
Apply Policies to ProjectsApply a policy to a project
Archive Applied PoliciesArchive policies applied to projects
Create CredentialsIssue credentials for an applied policy
Revoke CredentialsRevoke an issued credential for for an applied policy
Create IndicatorsCreate an indicator for a project
Archive IndicatorsArchive an indicator within a project
Apply IndicatorsApply an indicator to an applied policy’s control
Activate IndicatorsActivate applied indicators so they log evaluations
Disable IndicatorsDisable applied indicators so they do not log evaluations
Run IndicatorsRun indicators to receive and log evaluations
Create DeclarationsSubmit a declaration to a control
Submit Controls for ReviewSubmit a control as ready for review
Determine Control OutcomesDetermine a control as Compliant, Non-compliant, or Not Applicable
Create CommentsSubmit a comment to a control
View Project DataView project data (read-only access)

Each role is composed of specific permissions as shown in the table below.

A check (✅) indicates the role has this permission, while an X (❌) indicates it does not.

PermissionsOrganization OwnerProject OwnerImplementation OwnerImplementation ContributorAudit OwnerAudit ContributorProject Viewer
Manage Organization Settings
Manage Organization Users
Create Projects
Archive Projects
Manage Project Members
Create Policies
Apply Policies to Projects
Archive Applied Policies
Create Credentials
Revoke Credentials
Create Indicators
Archive Indicators
Apply Indicators
Activate Indicators
Disable Indicators
Run Indicators
Create Declarations
Submit Controls for Review
Determine Control Outcomes
Create Comments
View Project Data

Assigning the right roles ensures users have appropriate access to perform their compliance work while maintaining security and separation of duties.

Organization Owners can assign roles to all users across projects. Project Owners can only assign roles within projects they manage.

When assigning roles, consider:

  • Separation of duties: Implementation and audit roles are designed to maintain independence between those who implement controls and those who review them
  • Junior team members: Contributor roles allow junior staff to participate without authorizing critical compliance outcomes
  • Multiple roles: Users can be assigned multiple roles within a single project and/or across multiple projects