Skip to main content

Policy roles and permissions

Policies have organizational and object roles determining who can view or modify data. This overview provides a general idea about what users can do based on their roles. For detailed information, see the top of each help article.

Note

There is no inherited access to policies.

Organizational role permissions

At the organizational level, users are assigned to a role. The ability to create new policies and see the list of existing policies is determined by the organizational role.

Administrator

  • Create new policies

  • List all policies

  • Open policies where they are a member

  • Join any policy where they are not already a member

Compliance manager

  • Create new policies

  • List all policies

  • Open policies where they are a member

User

  • List all policies

  • Open policies where they are a member

Limited access user

  • List and open policies where they are a member

External auditor

  • Users with this role have no access to policies

Object role permissions

Each policy has its own set of permissions based on the object role of the user. Object roles are more important than organizational roles because they control what a user can do at a detailed level within the policy. Users can be in one of the following roles:

  • Manager - When a policy is created, the person creating it is automatically added as a manager and is also the owner of that policy. Managers can do the following:

    • Add users to or remove users from a policy and change their object roles.

    • Change the policy owner.

    • Modify policy details.

    • Change the version stage to Approval and generate approval tasks.

    • Archive and unarchive policies

    • Do everything a contributor can do.

  • Contributor - Contributors can do the following:

    • Replace a policy document.

    • Add a version of a policy document.

    • Modify policy details that are not restricted to managers.

    • Add and remove proof.

    • Add, remove, and edit links to other objects such as controls.

    • Create issues on the policy.

    • Do everything a viewer can do.

  • Viewer - Viewers can do the following:

    • View current and previous versions of the policy document.

    • View policy properties.

    • Export current or previous versions of a policy document.

    • Remove themselves from a policy's membership.

  • Owner - Owner is not a distinct role. It's a way to assign one of the managers or contributors as the owner or primary contact for this policy. Ownership is designated by the key icon in the facepile for the policy. The user who created the policy is made the owner by default. Only the owner can make someone else the owner.

    Note

    The owner can't be removed from the membership of the policy.

Approvers

To participate in the review and approval workflow, people must be added as users to your Hyperproof organization and have accepted the invitation. They can have any organizational role. It is a best practice to use the role with the least permissions, such as Limited Access User, unless there is a need for a higher role. When a user designated as an Approver clicks the link in the approval notification they are required to log in to Hyperproof because Hyperproof is the approval system of record and approvers must be identifiable as part of the evidence in the policy life cycle. Contacts can't be assigned as approvers.

Any user can be assigned as an approver without being added as a member of the policy.

Note

Approvers are given viewer permissions for the policies they are assigned to review and can view all of the tabs on those policies.

In this section: