User - Contributor permissions
User-contributors can do the following:
Action | Yes | No |
|---|---|---|
Open an access review (if tile is visible) | X | |
Create an access review | X | |
Edit access review details | X | |
Link/unlink proof | X | |
Link/unlink controls and/or labels | X | |
Create, view, and delete applications (if visible) | X | |
Import records | X | |
Create and delete tasks | X | |
Generate access review proof | X | |
Archive/unarchive an access review | X | |
Join an access review facepile | X | |
Edit 'Maintain access' / 'Access notes' | X | |
Edit 'Access updated' / 'Admin notes' | X |
Action | Yes | No |
|---|---|---|
Create an assessment | X | |
Link controls/requirements to/from an assessment they're a member of | X | |
Use the assessment's Activity Feed | X | |
Add members to an assessment they're a member of | X | |
Export proof from an assessment they're a member of | X | |
Export an assessment they're a member of | X | |
Archive/unarchive an assessment they're a member of | X |
Action | Yes | No |
|---|---|---|
Edit an audit they've created or are a member of | X | |
Use the audit's Activity Feed | X | |
Create an audit | X | |
Add members to an audit they're a member of | X | |
Archive/unarchive an audit they're a member of | X | |
Export proof from an audit they're a member of | X | |
Export an audit they're a member of | X |
Action | Yes | No |
|---|---|---|
Create a control | X | |
Edit a control they're a member of, including control health | X | |
Turn on/edit freshness on a control they're a member of | X | |
Link/unlink requirements, proof, labels, tasks, and risks to/from a control they're a member of | X | |
Add members to a control they're a member of | X | |
Use the control's Activity Feed | X | |
Create/maintain a Hypersync or repeating task on a control they're a member of | X | |
Add notes to a control they're a member of | X | |
Add a scope assignment to a control they're a member of | X | |
Import/export a control they're a member of | X | |
View program-level controls they're not a member of | X | |
Use the crosswalk view | X | |
Archive/unarchive a control they're a member of | X | |
View controls they're not a member of | X | |
Import scopes or scope assignments | X |
Action | Yes | No |
|---|---|---|
Create an evaluation | X | |
Archive an evaluation they're a member of | X | |
Edit an evaluation they're a member of | X | |
Use the evaluation's Activity Feed | X | |
Unarchive an evaluation they're a member of | X | |
Add members to an evaluation | X | |
Link/unlink proof and affected objects to/from an evaluation | X | |
Link/unlink a task to/from an evaluation they're a member of | X | |
Import/export evaluations | X |
Action | Yes | No |
|---|---|---|
Create an issue | X | |
Edit an issue they're a member of | X | |
Add members to issues they're a member of | X | |
Archive an issue they're a member of | X | |
Import/export an issue they're a member of | X | |
Use the issue's Activity Feed | X | |
Link/unlink proof to/from an issue they're a member of | X | |
Link/unlink affected objects to/from an issue they're a member of | X | |
Update an issue's status | X | |
Customize an issue's health | X | |
Unarchive an issue | X |
Action | Yes | No |
|---|---|---|
View the list of policies | X | |
Set policy due date | X | |
Add a policy | X | |
Add versions to a policy | X | |
View current and previous versions of the policy document | X | |
Add or replace a policy document in a version | X | |
Add or remove proof from a policy version | X | |
Download a policy document | X | |
Link or unlink controls from a policy | X | |
Add an issue to a policy | X | |
Export the effective policy document | X | |
Edit policy details Note: Fields that are editable on the Details tab vary based on your role and the permissions you have been assigned. | X | |
Add users to a policy | X | |
Bulk edit policies | X | |
Change a policy owner | X | |
Configure a policy approval | X | |
Archive or unarchive a policy | X |
Action | Yes | No |
|---|---|---|
Turn on program health | X | |
Edit program details | X | |
Use the program's Activity Feed | X | |
Link/unlink controls and proof to/from requirements | X | |
Add related requirements | X | |
Export a program | X | |
Export proof from a program | X | |
Export requirements | X | |
Export a SSP report | X | |
Unarchive a program | X | |
Create a new program or a custom program | X | |
Add members to a program they're a member of | X | |
Archive a program | X | |
Delete proof from a requirement | X | |
Create/manage custom fields | X | |
Customize program health and tooltips | X | |
Import/manage scopes | X | |
Jumpstart a new program | X | |
Create groups | X |
Tip
For information on private proof, see Private proof.
Action | Yes | No |
|---|---|---|
Add proof at the organizational level | X | |
Download proof | X | |
View proof they've uploaded or via inherited access from a linked object | X | |
Create a new label | X | |
Import/export a label they're a member of | X | |
Link/unlink controls, proof, and tasks to/from a label they're a member of | X | |
Create/maintain a Hypersync or repeating task on a label they're a member of | X | |
Manage freshness on a label they're a member of | X | |
Use the label's Activity Feed | X | |
Archive/unarchive a label they're a member of | X | |
Edit a label they're a member of | X | |
Add members to a label they're a member of | X | |
Change a label's status | X | |
View labels they're not a member of | X |
Note
The actions below pertain to users with contributor permissions who are members of the Vendor Register.
Action | Yes | No |
|---|---|---|
Create a questionnaire | X | |
Import a questionnaire | X | |
View/edit a questionnaire | X | |
Send/cancel a questionnaire | X | |
Send a questionnaire to multiple vendors | X | |
Send a questionnaire reminder to a vendor | X | |
Use a questionnaire's Activity Feed | X | |
Archive/unarchive a questionnaire | X | |
Link/unlink a label to/from a questionnaire | X | |
Export a questionnaire | X |
Note
To view request proof, users must fall into one of three categories:
Be a manager of the audit - In the Audits module, managers have access to all proof within an audit.
If you are the manager of a request, but a contributor of the audit without any inherited access, you cannot view proof linked to the request. This helps protect sensitive data that some users shouldn’t see. As a result, only managers can export audit proof.
Have inherited manager access from a control or label
Have inherited contributor access from a control or label
Further, external auditors can only view the Proof and Audits tabs, and can only view proof when a request’s status is set to Submitted to auditor.
Action | Yes | No |
|---|---|---|
Create a request | X | |
Edit a request they're a member of | X | |
Import/export a request they're a member of | X | |
Link/unlink proof to/from a request they're a member of | X | |
Link/unlink affected objects to/from a request they're a member of | X | |
Link/unlink a task to/from a request they're a member of | X | |
Change the status of a request they're a member of Note that contributors can only select from the following statuses: Not started, In progress, and Internal review. | X | |
Use a request's Activity Feed | X | |
Add members to a request they're a member of | X | |
Archive/unarchive a request they're a member of | X | |
Link/delete attachments to/from a request they're a member of | X | |
Convert attachments to proof on requests they're a member of | X |
Note
The actions below pertain to users with contributor permissions who are members of the Risk Register.
Action | Yes | No |
|---|---|---|
Create a risk | X | |
View Risk Registers they're a member of | X | |
Import/export risks | X | |
Edit risks | X | |
Use the Risk Register's Activity Feed | X | |
Use a risk's Activity Feed | X | |
Edit risk health | X | |
Edit the owner of a risk | X | |
Link/unlink controls, proof, labels, and tasks to/from a risk | X | |
Create notes on a risk | X | |
Add members to a Risk Register | X | |
Archive/unarchive a risk | X | |
Upgrade to advanced mitigation | X | |
Customize the Risk Register | X | |
Create a new Risk Register | X |
Action | Yes | No |
|---|---|---|
Create a task or a repeating task | X | |
Duplicate a task they're a member of | X | |
Import a task or a repeating task | X | |
Export a task | X | |
Link/unlink proof to/from a task they're a member of | X | |
Change the target of a task or repeating task | X | |
Use a task or repeating task's Activity Feed | X | |
Add members to a task they've created | X | |
Edit a task or repeating task they've created | X | |
Delete a task or repeating task they've created | X | |
Delete a task or repeating task they didn't create | X | |
Delete proof from a task or repeating task | X | |
Edit a task they didn't create (they can change the assignee, however) | X | |
Edit a task or repeating task they didn't create | X | |
Add members to a task or repeating task they didn't create | X | |
Add or edit an approval for a task they didn't create | X |
Note
The actions below pertain to users with contributor permissions who are members of the Vendor Register.
Action | Yes | No |
|---|---|---|
Add a new vendor | X | |
Add a vendor contact | X | |
Add/edit a vendor owner | X | |
Import/export vendors | X | |
Edit vendor information (except vendor owner) | X | |
Link/unlink a task to/from a vendor | X | |
Edit the vendor category | X | |
Edit the vendor status | X | |
Edit contract dates | X | |
Edit vendor tolerance and risk | X | |
Use a vendor's Activity Feed | X | |
Add members to the Vendor Register | X | |
Archive/unarchive a vendor | X | |
Change the vendor owner | X |