Roles and Permissions
About roles and permissions
Section titled “About roles and permissions”A role is the the position a user is assigned within Governance Studio.
Permissions are actions a user is granted based on their role.
Key concepts and actions associated with Roles & Permissions include:
Understanding roles
Section titled “Understanding roles”There are seven roles in Governance Studio, each designed to support specific functions within your compliance workflow.
| Role | Role Description | Typical Personas |
|---|---|---|
| Organization Owner | Manages organization-wide settings, users, indicators, and policies, with full administrative control across all projects | Chief Compliance Officer, VP of Engineering, Head of GRC |
| Project Owner | Manages a project’s configuration and membership, including applied policies, indicators, declarations, reviews, and credentials | Engineering Manager, Product Manager, Compliance Manager |
| Implementation Owner | Creates declarations and submits controls for review | Senior Engineer, Tech Lead, Compliance Analyst |
| Implementation Contributor | Creates declarations, but cannot submit controls for review | Junior Engineer, Compliance Associate |
| Audit Owner | Creates comments, determines compliance outcomes, and issues policy credentials | Head of Compliance, Chief Auditor, Internal Audit Director |
| Audit Contributor | Creates comments, but cannot determine compliance outcomes | Junior Auditor, Internal Auditor, Compliance Reviewer |
| Project Viewer | Read-only access to project data; cannot create or modify resources | Executive Stakeholder, External Auditor, Board Member |
Understanding permissions
Section titled “Understanding permissions”| Permissions | Permissions Definition |
|---|---|
| Manage Organization Settings | Manage organization-wide settings and preferences |
| Manage Organization Users | Add and remove users, and assign roles within the organization |
| Create Projects | Create projects within the organization |
| Archive Projects | Archive projects within the organization |
| Manage Project Members | Add and remove project members, and assign roles within the project |
| Create Policies | Create or upload policies for the organization |
| Apply Policies to Projects | Apply a policy to a project |
| Archive Applied Policies | Archive policies applied to projects |
| Create Credentials | Issue credentials for an applied policy |
| Revoke Credentials | Revoke an issued credential for for an applied policy |
| Create Indicators | Create an indicator for a project |
| Archive Indicators | Archive an indicator within a project |
| Apply Indicators | Apply an indicator to an applied policy’s control |
| Activate Indicators | Activate applied indicators so they log evaluations |
| Disable Indicators | Disable applied indicators so they do not log evaluations |
| Run Indicators | Run indicators to receive and log evaluations |
| Create Declarations | Submit a declaration to a control |
| Submit Controls for Review | Submit a control as ready for review |
| Determine Control Outcomes | Determine a control as Compliant, Non-compliant, or Not Applicable |
| Create Comments | Submit a comment to a control |
| View Project Data | View project data (read-only access) |
Role and permissions matrix
Section titled “Role and permissions matrix”Each role is composed of specific permissions as shown in the table below.
A check (✅) indicates the role has this permission, while an X (❌) indicates it does not.
| Permissions | Organization Owner | Project Owner | Implementation Owner | Implementation Contributor | Audit Owner | Audit Contributor | Project Viewer |
|---|---|---|---|---|---|---|---|
| Manage Organization Settings | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage Organization Users | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create Projects | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Archive Projects | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage Project Members | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create Policies | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Apply Policies to Projects | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Archive Applied Policies | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create Credentials | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Revoke Credentials | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Create Indicators | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Archive Indicators | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Apply Indicators | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Activate Indicators | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Disable Indicators | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Run Indicators | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Create Declarations | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Submit Controls for Review | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Determine Control Outcomes | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Create Comments | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ |
| View Project Data | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Managing user roles
Section titled “Managing user roles”Assigning the right roles ensures users have appropriate access to perform their compliance work while maintaining security and separation of duties.
Organization Owners can assign roles to all users across projects. Project Owners can only assign roles within projects they manage.
When assigning roles, consider:
- Separation of duties: Implementation and audit roles are designed to maintain independence between those who implement controls and those who review them
- Junior team members: Contributor roles allow junior staff to participate without authorizing critical compliance outcomes
- Multiple roles: Users can be assigned multiple roles within a single project and/or across multiple projects