✅ Feature availability: All plans include standard built-in user roles. Additional scoped roles and custom role-based access controls depend on your plan and enabled features. Refer to Vanta Plans and Pricing for details.
User roles control access to the Vanta platform, ensuring that users only have access to what they need to complete their work. Roles range from broad platform access to focused product-area access, and you can create custom roles to fit your organization's needs. Who gets a user account and how those accounts are added or deactivated depends on your user provisioning setting.
⚙️ User permissions: Only Admins can manage users, custom roles, and user provisioning. Refer to Understanding User Roles and Permissions for more details.
Getting started
Each user account can be assigned one role which determines the following:
Employee portal: Whether a user can log in to access the employee portal, where they can complete personnel tasks, access requests, and vendor requests, if your organization has enabled these features. All user roles can access the employee portal.
Product permissions: What a user can see and do across Vanta by default, before any object assignments are considered.
Object assignments: Which specific objects a user can be assigned to and act on. These layer on top of product permissions, so a user can have access to specific objects even if their role doesn't grant broader platform access. All user roles except Employee can be assigned objects across the Vanta product.
💡 Tip: Assign users the Employee role if you only want them to be able to access the employee portal. Assign users the Collaborator role if you want them to have access to objects they've been assigned. For users who need broad access across Vanta, assign them the Editor role.
Comparing user roles
Vanta has three types of roles: standard roles available to all customers, scoped roles that come with specific product areas included on your plan, and custom roles for bundling product area permissions.
Review the tables below to compare the default product permissions per user role. For a breakdown of what users can do in each product area, refer to Understanding User Roles and Permissions.
Standard roles
Standard roles
Standard roles are built-in Vanta roles available on all Vanta plans:
Role | Default product permissions |
Admin | Full access to everything in Vanta |
View-only Admin | View-only access to everything in Vanta |
Editor | Full access to everything in Vanta except for sensitive personnel data and API tokens |
Collaborator | Access only to objects they’re assigned to in Vanta |
Employee (default role assigned) | No access except the employee portal |
Scoped roles
Scoped roles
Scoped roles are built-in Vanta roles that appear when the related product area or feature is enabled for your organization:
Role | Default product permissions |
Access Admin | View personnel, access requests, and access reviews, and deprovision accounts across integrated systems |
Audit Limited Editor | Same as Editor, except cannot post external comments on Information Requests, mark as ready for audit, or configure per-audit owner permission settings |
Privacy Manager | Full access to Privacy |
Trust Admin | Full access to Customer Trust |
Trust Collaborator | Limited access to Customer Trust |
Custom roles
Custom roles
Depending on your plan, you can create custom roles from the Roles page by clicking Add role. Custom roles let you bundle product permissions for users who need access to specific parts of Vanta. They're built on the Collaborator baseline, so users can still be assigned objects across the product.
For each custom role, enable as many or as few product areas as needed and choose the access level you'd like to grant for each.
Role | Default product permissions |
No access | No access except the employee portal until objects are assigned |
View only | View-only access to enabled product areas |
View and edit | Edit access to enabled product areas |
Assigning user roles
To assign a role to user account:
In your account header, click the Settings icon.
Under Access, open the User permissions page.
Each user account can be assigned one role.
To see the roles available to use:
In your account header, click the Settings icon.
Under Access, open the Roles page.
Managing user provisioning
Who gets a user account, and how those accounts are added or deactivated, depends on your user provisioning setting—whether that's automatically from personnel records, synced via SCIM, or managed manually.
User provisioning setting | How provisioning works | How deprovisioning works |
Personnel auto-provisioning | When a personnel record is added to your People page, a linked user account is automatically created with the Employee role. | Accounts are automatically deactivated when the linked personnel record is terminated, marked out of scope, or set as a service account. |
User provisioning via SCIM | User accounts are created and managed from your IdP via SCIM. User roles are assigned in your IdP and synced to Vanta. | Accounts are deprovisioned when deactivated in your IdP. |
Manual provisioning | No user accounts are created automatically. | Offboarding personnel records does not automatically deactivate user accounts. |
Personnel auto-provisioning
Personnel auto-provisioning
When user provisioning is enabled via personnel, user accounts are automatically created from personnel records. Then you manage Vanta platform access levels with user roles. To learn about how personnel are imported, see Adding and Managing Personnel.
Action | How it works |
Add user account | Provisioning: User accounts are created automatically when personnel records are added—regardless of how personnel were imported. |
Edit user role | Access: Search for a user and use the dropdown menu to change their role. Select multiple users to make bulk changes. |
Deactivate user account | Deprovisioning: Offboard the personnel record, mark them out of scope, or mark them as a service account—these actions automatically deactivate user accounts. |
💡 Tip: To add a user account for someone who doesn't need a personnel record, click Add user account and leave the Monitor user for compliance option unchecked. User accounts added this way need to be deactivated manually.
User provisioning via SCIM
User provisioning via SCIM
If you’ve got SCIM enabled, user accounts are created and managed from your IdP. Roles are assigned in your IdP and synced to Vanta.
Keep in mind:
Not all personnel automatically receive a user account. Accounts are only created for personnel you explicitly assign to the Vanta app in your IdP.
Removing someone from SCIM terminates their personnel record and deactivates their user account.
📖 Learn more: Enabling SCIM in Vanta
Manual provisioning
Manual provisioning
When user provisioning is off, personnel records and user accounts are managed independently. You control exactly who gets access to Vanta by manually managing user accounts. Adding or offboarding a personnel record does not automatically add or deactivate a user account, and deactivating a user account does not affect the personnel record.
Action | How it works |
Add user account | Provisioning: Click Add user account, enter their details, select a role, and decide whether to also create a personnel record in Vanta. |
Edit user role | Access: Search for a user and use the dropdown menu to change their role. Select multiple users to make bulk changes. |
Deactivate user account | Deprovisioning: Click the ••• menu next to the user and select Deactivate. This removes their access to Vanta without affecting their personnel record. |
Changing your user provisioning setting
Changing your user provisioning setting
To change your user provisioning setting:
Click the Settings icon from your account header
Open the Login and security page.
Scroll to the User provisioning section.
Review the preview of what will happen to existing user accounts. Users may be added or deactivated, and access levels and how accounts are managed may change.
The confirmation modal may refer to accounts becoming manually managed. Here's what that means:
An account is manually managed when it isn't linked to a personnel record, which can happen when:
User provisioning is turned off, meaning you’re manually provisioning users.
You add a user account manually without linking it to a personnel record.
Vanta can't match a user account to a personnel record by email address during a provisioning sync.
Manually managed accounts aren't automatically provisioned or deprovisioned—changes to their personnel record won't affect their Vanta access.
You can provision and deprovision manually managed user accounts directly from your user permissions settings in Vanta.