AUDIGYD

Roles & Permissions for GRC

Reference matrix of which built-in roles can view, edit, approve, and publish across every GRC surface — sourced from the shipped permission defaults.

6 min readArticle 6 of 6 in Governance, Risk & Compliance

Roles & Permissions for GRC

GRC surfaces (frameworks, controls, evidence, findings, risks, policies, approvals, readiness) are gated by the workspace's role-based access control system. This article documents the default permissions for each system role exactly as they ship. Owners can extend or restrict these on the Permissions page (Professional and Enterprise plans).

System roles

There are five built-in (system) roles. Approval, review, and other capabilities are permissions granted to these roles — there is no separate "Approver" system role.

SlugRolePurpose
ownerOwnerFull administrative access. Cannot be restricted.
auditorAuditorManages assessments, findings, reviews, templates, and reports.
grc_managerGRC ManagerManages governance objects: frameworks, controls, evidence, risks, and policies. Holds the default approve permissions for evidence and policies.
respondentRespondentAnswers assessment questions and submits assessments.
viewerViewerRead-only access to templates, projects, campaigns, assessments, reports, policies, controls, evidence, frameworks, and risks.

Resources & actions used in GRC

Each GRC resource supports a subset of these actions:

  • frameworksview, create, edit, delete
  • controlsview, create, edit, delete, approve
  • evidenceview, create, edit, delete, approve
  • policiesview, create, edit, delete, approve, publish
  • risksview, create, edit, delete, approve
  • findingsview, create_finding
  • assessmentsview, create, edit, answer_questions, submit_assessment, assign_respondent, assign_reviewer, override_verdict, finalize_assessment

Default capability matrix

The matrix below is the exact ship-default. ✅ = allowed by default; — = not allowed by default. (Owners can flip any non-Owner permission via Settings → Permissions on Professional / Enterprise.)

CapabilityOwnerAuditorGRC ManagerRespondentViewer
frameworks: view
frameworks: create / edit / delete
controls: view
controls: create / edit / delete / approve
evidence: view
evidence: create / edit
evidence: delete
evidence: approve
policies: view
policies: create / edit
policies: delete
policies: approve
policies: publish
risks: view
risks: create / edit / delete / approve
findings: view
findings: create_finding
assessments: view
assessments: create / edit
assessments: answer_questions / submit_assessment
assessments: assign_respondent / assign_reviewer
assessments: override_verdict / finalize_assessment
reports: view
reports: create / filter / export
activity_log: view
settings: manage_settings

> Findings on mobile. GRC Managers can view findings but cannot create them by default; Auditors hold the default for finding creation. Respondents and Viewers cannot view findings unless granted via a custom role.

How mobile enforces these permissions

Mobile screens read the current user's tenant role and call the same permission checks the web uses. The Approvals tab is gated by evidence:approve and policies:approve — by default that means only Owners and GRC Managers can see it. Members without either permission get a screen reading "You don't have permission to view approvals" instead of the inbox; the tab itself is also hidden in the bottom navigation for those users.

Customizing roles

1.Open Settings → Permissions in the tenant app
2.Pick a role to customize (Owner cannot be customized)
3.Toggle individual resource/action permissions
4.Save — changes take effect immediately for every member with that role

Custom roles are available on Professional and Enterprise plans.

Tips

  • Keep approve permissions with a small group (Owner + GRC Manager) — too many approvers diffuses accountability.
  • Use Viewer for external auditors who need read-only access without the ability to modify any GRC object.
  • If you need an "Approver-only" role, copy GRC Manager and remove the create/edit/delete permissions you don't want them to hold.

Previous

Readiness, Quick Capture & Offline Sync

Next

PII Scanner