Skip to main content

Policy roles and permissions

Policies have organizational and object roles determining who can view or modify data. This overview provides a general idea about what users can do based on their roles. For detailed information, see the top of each help article.

Note

There is no inherited access on policies.

Organizational role permissions

At the organizational level, users are assigned to a role and its associated permissions:

Administrator

  • Join any policy

  • Create new policies

  • List all policies

Compliance manager

  • Create new policies

  • List all policies

User

  • List all policies

  • Open policies where they are a member

Limited access user

  • List and open policies where they are a member

External auditor

  • Users with this role have no access to policies

Object role permissions

Each policy has its own set of permissions based on the object role of the user. Object roles are more important than organizational roles because they control what a user can do at a detailed level. Users can be in one of the following roles:

  • Owner - The user who created the policy and the Primary contact. This user is a manager by default. The owner can make someone else the owner.

    Note

    The owner can't be removed from the membership of the policy.

  • Manager - When a policy is created, the person creating it designates a primary contact. The primary contact is the owner and also a manager. The primary contact or owner is designated by the key icon in the facepile for the policy. The owner/manager and managers can do the following:

    • Add users to or remove users from a policy and change their object roles.

    • Change the policy owner.

    • Modify policy details.

    • Change the version stage to Approval and generate approval tasks.

    • Archive and unarchive policies

    • Do everything a contributor can do.

  • Contributor - Contributors can do the following:

    • Replace a policy document.

    • Add a version of a policy document.

    • Modify policy details that are not restricted to managers.

    • Add and remove proof.

    • Add, remove, and edit links to other objects such as controls.

    • Create issues on the policy.

    • Do everything a viewer can do.

  • Viewer - Viewers can do the following:

    • View current and previous versions of the policy document.

    • View policy properties.

    • Export current or previous versions of a policy document.

    • Remove themselves from a policy's membership.

Approvers

Approvers are Hyperproof users assigned to approve one or more policy versions. Any user can be assigned as an approver without being a member of the policy. Approvers must be logged in to Hyperproof to approve a policy document because Hyperproof is the approval system of record and approvers must be identifiable as part of the evidence in the policy life cycle. Contacts can't be assigned as approvers.

Note

Approvers are given viewer permissions for the policies they are assigned to review and can view all of the tabs on those policies.

In this section: