Skip to main content

Access review roles and permissions

Access reviews have organizational and object roles that determine who can view or modify data. This overview provides a general idea about what users can do based on their roles. For detailed information, see the top of each help article.

Organizational role permissions

At the organizational level, users are assigned to a role and its associated permissions:

  • All users have the following permissions (except External Auditors). If object permissions are assigned, users have more rights. See Object role permissions.

    • Open the access review module.

    • View access review tiles based on the user's organizational and object role for that access review.

    • Open any access review and:

      • View the Dashboard tab

      • View the Details tab

      • View the members of the access review

  • Administrator

    • View all of the access review tiles.

    • Create a new access review.

    • Join an access review with a Manager object role.

  • Compliance Manager

    • View all of the access review tiles

    • Create a new access review

  • User - Users with a user role but no Manager, Contributor, or Viewer object role only see an access review if they have been added as a Reviewer or Sysadmin to specific user records. See Reviewers and Sysadmins.

  • Limited Access User - Users with a limited access user role but no Manager, Contributor, or Viewer object role only see an access review if they have been added as a Reviewer or Sysadmin to specific user records. See Reviewers and Sysadmins.

  • External Auditor - Users with this role have no access to access reviews.

Object role permissions

Each access review has its own set of permissions based on the object role of the user. Object roles are more important than organizational roles because they control what a user can do at a detailed level. Users can be in one of the following roles:

  • Owner - The user who created the access review and the Primary contact. This user is a Manager by default. The owner can make someone else the owner.

    Note

    The owner can't remove themselves from the access review membership.

  • Manager - When an access review is created, the person creating it designates a primary contact. The primary contact is the owner and also a manager. The primary contact or owner is designated by the key icon in the facepile for the access review. The owner/manager and managers can do the following:

    • Add users to or remove users from an access review and change their object roles.

    • Modify access review details.

    • Link controls and/or labels to an access review.

    • Change access review status.

    • Add, refresh, or delete an employee directory.

    • Add, refresh, or delete a user list for an application to be reviewed.

    • View all employee records.

    • View all user access records for any application.

    • Assign specific users to review or update application user access records.

    • View all application tiles in the Review tab.

    • View the user records in the update grid for an application.

    • View, create, and delete tasks.

    • Enter a response in the Maintain As is field of an access record if they are the assigned reviewer.

    • Enter a response in the Access Updated field of an access record if they are the assigned sysadmin.

    • View, create, and delete proof.

    • Archive or unarchive an access review.

  • Contributor - Contributors can do the following:

    • Add, refresh, or delete an employee directory.

    • Add, refresh, or delete an application list to be reviewed.

    • View all employee records.

    • View all user access records for any application.

    • Assign specific users to review or update application user access records.

    • View all application tiles in the Review tab.

    • View the user records in the update grid for an application.

    • View tasks assigned to them.

    • Enter a response in the Maintain As is field of an access record if they are the assigned reviewer.

    • Enter a response in the Access Updated field of an access record if they are the assigned sysadmin.

    Making someone a contributor allows them to add or modify the directory or applications in an access review.

  • Viewer - Viewers can do the following:

    • View the Dashboard.

    • View the Details tab.

    • View any reviews that are configured including the lists of users.

Reviewers and Sysadmins

Reviewers and sysadmins are Hyperproof users assigned to user access records and who perform the access review. Any Hyperproof user can be assigned as a reviewer or sysadmin. You don't need to add every reviewer and sysadmin as a member of the access review unless they need to perform additional tasks within the access review.

Reviewers who are not managers or contributors can:

  • View the application tiles containing user records assigned to them in the Review tab.

  • View the user access records assigned to them when the application tile is opened.

  • Modify the Maintain As-is and Access notes fields for user access records assigned to them.

Sysadmins who are not managers or contributors can:

  • View the application tiles containing user records assigned to them in the Review tab.

  • View the user access records assigned to them when the application tile is opened.

  • Modify the Access Updated and Sysadmin notes fields for user access records assigned to them.