Roles
Owner
Owner
Owners have full access to the organization, including billing, organization settings, and all compliance data. Only an Owner can promote another member to Owner or delete the organization.
- Manage organization settings and billing
- Invite, update, and remove members (including SCIM-provisioned users)
- Assign any role, including Owner
- Create, update, and delete SAML and SCIM configurations
- Full access to all compliance data: frameworks, risks, vendors, policies, evidence, and audit logs
Admin
Admin
Admins can manage the team and all compliance content, but cannot delete the organization or manage SSO/SCIM configuration.
- Invite members and update roles (except promoting to Owner)
- Manage frameworks, risks, vendors, policies, and evidence
- View SAML and SCIM configuration (read-only)
- View audit logs
- Cannot delete the organization
Employee
Employee
Employees can view compliance data and contribute to tasks and evidence assigned to them. This is the default role assigned when a user joins via SSO or SCIM provisioning.
- View compliance frameworks, controls, and risks
- Complete assigned tasks and upload evidence
- View organization member directory
Viewer
Viewer
Viewers have read-only access to your organization’s compliance data. Suitable for stakeholders who need visibility without making changes.
- View frameworks, risks, vendors, and policies
- View the member directory
- View audit logs
- Cannot create, update, or delete any resource
Auditor
Auditor
Auditors have read-only access, with additional visibility into audit reports. Intended for external auditors performing compliance reviews.
- Everything a Viewer can do
- View detailed audit log entries
- Cannot create, update, or delete any resource
Permissions reference
| Action | Owner | Admin | Employee | Viewer | Auditor |
|---|---|---|---|---|---|
| Manage organization settings | ✓ | ✓ | |||
| Delete organization | ✓ | ||||
| Invite members | ✓ | ✓ | |||
| Remove members | ✓ | ||||
| Assign Owner role | ✓ | ||||
| Change member roles | ✓ | ✓ | |||
| Manage SAML configuration | ✓ | ||||
| View SAML configuration | ✓ | ✓ | |||
| Manage SCIM configuration | ✓ | ||||
| View SCIM configuration | ✓ | ✓ | |||
| View audit logs | ✓ | ✓ | ✓ | ✓ | |
| Manage frameworks, risks, vendors | ✓ | ✓ | |||
| View compliance data | ✓ | ✓ | ✓ | ✓ | ✓ |
| Complete assigned tasks | ✓ | ✓ | ✓ |
Inviting users
Create the user profile
Click Add member and fill in:
- Full name
- Email address
- Role — select from Owner, Admin, Employee, Viewer, or Auditor
- Kind — optionally specify the profile kind (for example,
employeeorcontractor) - Position — job title (optional)
- Contract start / end dates — for contractors with a fixed engagement period (optional)
If your organization uses SCIM provisioning, users are created automatically from your identity provider. You do not need to invite them manually. See SCIM provisioning.
Changing a user’s role
Edit the membership
Find the member in the list and click the role badge or the Edit option next to their name.
Profile kinds and contractor dates
Each user profile has an optional kind field that describes the nature of the engagement. Common values includeemployee and contractor.
For contractors, you can set:
- Contract start date — the date the engagement begins
- Contract end date — the date the engagement ends
SSO with SAML
Configure single sign-on for your organization.
SCIM provisioning
Automate user provisioning from your identity provider.