Organizational roles and permissions
Hyperproof has the following organizational roles:
Administrator - An administrator manages the organization, its compliance managers, and its users. Administrators can create and join objects within the organization without needing permission. They can also customize program health, customize risks, and create and maintain custom fields. Further, they can adjust an organization's authentication and security settings.
Note
It's strongly recommended to have at least two administrators in your organization.
Only administrators can invite users to Hyperproof and transfer work. If there is only one administrator, and they leave your organization, there will be no one designated to do these tasks.
Compliance manager - A compliance manager is responsible for ensuring that the organization adheres to relevant laws, regulations, policies, and standards that apply to its industry and operations. They are usually responsible for developing, implementing, and monitoring governance policies and procedures to ensure that their organization maintains compliance with relevant laws and regulations.
In Hyperproof, compliance managers can create and manage new programs within an organization. They can also assign work, track issues and risks, conduct user access reviews, manage vendors, and conduct assessments and internal audits.
User - A user only interacts with objects they've been explicitly added to. For every object they're added to, they'll either have manager access or contributor access. Manager access allows them to perform nearly every function on the object such as editing, archiving, and deleting. Contributor access allows them to perform basic functions on the object such as linking proof or tasks. If a user is not explicitly added to an object, such as a control, they will not be able to access the object.
Limited access user - A limited access user can only see objects they have been added to by another user or objects where they have inherited access. This user can create work items and add proof. For example, limited access users do not see comprehensive lists of programs or controls, they have more concise lists consisting of the programs or controls where they are members. The Overview dashboard page is never visible to limited access users.
External auditor - External auditors can only view and interact with audits that they've been explicitly added to. They cannot access any of the typical Hyperproof objects such as controls, labels, or requirements—only audits they’ve been added to. External auditors communicate with the organization via the audit's Activity Feed. Additionally, external auditors only see audit proof linked to requests that are in the Submitted to auditor status. See External auditor permissions for more information.
Contact - A contact is defined as someone relevant to your organization , such as someone who provides proof, but does not require full access to the organization. Instead of adding the individual as a user, they can simply be added as a contact. Any member of the organization can add a contact.
An important distinction to make is the difference between a user and a contact. In short, users are expected to use Hyperproof, and are given login credentials to do so, while contacts are not intended to use Hyperproof at all.
Administrators can upgrade a contact to a user at any time. Refer to Working with contacts for more information.