✅ Feature availability: All plans include standard built-in user roles. Additional scoped roles and custom role-based access controls depend on your plan and enabled features. Refer to Vanta Plans and Pricing for details.
When you're logged in to Vanta, what you can see and do depends on your user role and any object assignments. This article breaks down permissions by product area so you can understand what each role can access and how to give users the right level of access.
Getting started
What a user can see and do in Vanta depends on their user role and any object assignments:
Collaborators can only access what they've been assigned to. To be assigned objects in Vanta, users need at least the Collaborator role. Not every product area supports object assignments.
Object assignments can include inherited access—being assigned to a parent object may grant access to its mapped child objects, but not other objects. For example, a control owner inherits access to mapped tests, documents, and policies, but not to the framework or risks the control is mapped to.
Admins and Editors have default access across product areas, and anything that requires Admin privileges is noted. View-only Admins have the same access as Admins but can’t take any actions without being assigned an object.
Scoped roles are built-in roles tied to specific product areas, like Trust Admin or Privacy Manager. They’re available when the related product area or feature is enabled on your plan.
Custom roles let you bundle specific permissions for users across product areas.
Permissions are additive—a user's role and their object assignments work together. For example, a View-only Admin assigned as a Risk Scenario owner can edit that scenario, even though their user role is view-only by default.
📖 Learn more: For details on custom-role based access (RBAC) permissions, see Custom User Roles. For a complete list of user roles, see Managing User Roles.
Assets
Collaborators
Collaborators
Collaborators can't be granted access to Assets through object assignments. Assigning someone as an owner or group owner on an inventory item tracks responsibility but doesn't grant access.
Editors and Admins
Editors and Admins
Editors and Admins can:
View and manage inventory items and metadata, including bulk actions like tagging, assigning group owners, and updating descriptions.
View, export, and manage code changes.
View, export, refresh, and manage vulnerability monitoring, including deactivating and reopening vulnerabilities.
View security alerts and manage alert monitoring state, including deactivating and reactivating monitoring.
Common scenarios
Common scenarios
Assigning someone as an owner or group owner on an inventory item doesn't grant them access to Assets: To give someone access, assign them a role that includes Assets permissions, like Editor or a custom role with the relevant Assets permission sets enabled.
Compliance
Collaborators
Collaborators
Collaborators can access Compliance through object assignments.
Object assignment | Permissions |
Control owner | Manage all mapped tests, documents, and policies—with the same permissions as test and document owners, plus the ability to reassign their owners. Access does not extend to mapped frameworks or risks. |
Test owner | View test results and remediation instructions, create tasks and task automation, download test result data, and comment. Also inherits the ability to manage draft versions, submit for approval, view previous versions, and assign approvers on any mapped policies. |
Document owner | Renew, upload, and submit documents, create tasks, delete prior versions, and comment. Cannot edit the document name or description, assign approvers, or modify control mappings. |
Policy approver | View the policy, comment, view previously approved versions, and view mapped controls and tests. Can approve or request changes when it's their turn in the approval chain. Access reverts to view and comment only once the approval step is complete. |
Information request owner | View the request and internal comments, add and manage internal comments, and upload and manage evidence on the request. Cannot reassign ownership, change request details, mark as ready for audit, or view or manage auditor-facing comments. Inherits viewer access to the parent audit. |
ℹ️ Note: Frameworks don't support object assignments, meaning control owners can't access the framework their control belongs to through that assignment. Framework access requires an Editor role, Admin role, or a custom role with Frameworks & Controls enabled.
Editors and Admins
Editors and Admins
Editors and Admins can:
View and manage all frameworks, controls, tests, documents, and policies across the organization.
Create, edit, and delete controls, tests, and documents.
Modify control, test, and document mappings.
Create, edit, and manage policies, including managing approval chains.
Create custom tests.
Reassign owners across controls, tests, and documents.
Only Admins can:
Upload documents marked as sensitive and mark or unmark custom documents as sensitive.
Configure the global document approval workflow in Compliance settings.
Common scenarios
Common scenarios
Give someone access to specific controls, tests, or documents only: Assign the Collaborator role and add them as a control owner, test owner, or document owner on the relevant items. Control owners also inherit access to all mapped tests, documents, and policies.
Let someone participate in a policy approval without broader Compliance access: Assign the Collaborator role and add them to the policy's approval chain. They don't need any object ownership or broader Compliance permissions to be a policy approver.
Restrict access to sensitive documents to specific people: Mark the document as sensitive. Only document owners, Admins, and auditors can access sensitive documents—Editors cannot view or upload sensitive documents.
Customer Trust
Collaborators
Collaborators
Collaborators can access Customer Trust through object assignments.
Object assignment | Permissions |
Knowledge base resource owner | View the resource and version history, download the file, add a new file version, and modify tags and expiration date. |
Knowledge base answer library owner | View the entry, modify the answer, modify tags and expiration date. |
Questionnaire owner | View and edit the questionnaire, add comments and questions, edit metadata, re-run answer generation, and edit the approver. |
Questionnaire response owner | View, edit, and comment on an assigned response. Grants view-only access to the entire questionnaire and responses for context. |
Trust Collaborators
Trust Collaborators
Trust Collaborator is a scoped role that appears when Customer Trust is enabled on your plan. It grants users access to the following areas of Customer Trust without needing to be assigned to specific objects.
Trust Collaborators can:
View the knowledge base across all resources and answer library entries.
View all trust center content and manage external access to your organization's trust center.
View and edit all questionnaires and use the browser extension, but cannot be assigned as a questionnaire approver.
Trust Admins, Editors, and Admins
Trust Admins, Editors, and Admins
Trust Admin is a scoped role that appears when Customer Trust is enabled on your plan. It grants Editor-level access within Customer Trust only.
Trust Admins, Editors, and Admins can:
View and edit the knowledge base across all resources and answer library entries.
View, edit, comment on, and approve all questionnaires, including approving and editing approved answers, marking them complete, and deleting questionnaires.
Be assigned as a questionnaire approver.
Edit the trust center and its settings, including questionnaire settings and integrations.
Fulfill trust center data deletion requests.
View and edit customer commitments and view citations within commitments.
Only Admins can:
Import contracts and connect CLM integrations.
View and manage underlying contracts.
Common scenarios
Common scenarios
Give someone access to specific questionnaires only: Assign the Collaborator role and add them as a questionnaire owner on the relevant questionnaires. Or assign the Trust Collaborator role instead. They'll have default access to view and edit all questionnaires.
Maintain specific knowledge base items only: Assign the Collaborator role and add them as a knowledge base resource owner or answer library owner on the specific items they need to maintain.
Give someone access to approve questionnaires: Assign the Trust Admin role. Questionnaire approval can't be granted to a Collaborator or Trust Collaborator through object assignment.
Give someone access to manage contracts and commitments: create a custom role with the Customer Contracts permissioned enabled.
Integrations
Collaborators
Collaborators
Collaborators can't be granted access to Integrations through object assignments.
Editors and Admins
Editors and Admins
Editors and Admins can:
View and manage all integrations—except identity provider (IdP) integrations.
Only Admins can:
Connect or manage identity provider (IdP) integrations.
Common scenarios
Common scenarios
Give someone access to manage integrations without full Admin access: Assign the Editor role or create a custom role with Integrations set to view and edit. Admin access is only required for identity provider (IdP) integrations.
Give a Collaborator access to a specific integration: Integrations don't support object assignments. To give someone access, assign the Editor role or a custom role with Integrations enabled.
Personnel
Collaborators
Collaborators
Collaborators can access Personnel through object assignments.
Object assignment | Permissions |
System reviewer | View and download access data for the assigned system, complete the access review, create notes and tasks associated with an account, and change account owners. |
Deprovisioning task owner | View and complete assigned deprovisioning tasks. |
Collaborators can also be assigned as a system approver or system admin for Access Requests. These assignments grant scoped access to approve, deny, or provision assigned requests only.
Access Admins, Editors, and Admins
Access Admins, Editors, and Admins
Access Admin is a scoped role that appears when Access Management features are enabled on your plan. It grants users access to the Access page, including all access reviews, requests, systems, and deprovisioning tasks.
Access Admins can:
View limited personnel details within access reviews, requests, and deprovisioning tasks.
Approve and complete access requests across all systems.
Deprovision accounts across integrated systems.
In addition to the above, Editors and Admins can:
View and manage the People page, including the People, Groups, and Background Checks tabs.
View and manage the Computers page.
Create and manage onboarding and offboarding workflows.
Create, edit, complete, and delete access reviews, including changing reviewers, uploading or deleting access data, and managing schedules and reminders.
Create and manage access request systems, including setting system approvers and system admins.
Reassign deprovisioning task owners and delete tasks.
Configure Personnel settings.
Common scenarios
Common scenarios
Let someone manage access requests without broader Personnel access: Assign the Collaborator role and add them as a system approver or system admin for the relevant systems. Use Access Admin instead if you want them to manage access requests across all systems as needed.
Let someone start and manage offboarding without full Editor access: Create a custom role with People Management set to view and edit. Add Deprovision Accounts if they also need to deprovision accounts across integrated systems.
Privacy
Collaborators
Collaborators
Collaborators can't be granted access to Privacy through object assignments.
Privacy Managers, Editors, and Admins
Privacy Managers, Editors, and Admins
Privacy Manager is a scoped role that appears when a privacy framework is enabled on your plan—it grants Editor-level access within Privacy only.
Privacy Managers, Editors, and Admins can:
Create, edit, search, filter, and archive processing activities in data inventory, including linking processing vendors and processors to processing activities.
Create and manage privacy assessments, including impact assessments, and link them to processing activities.
View and export your organization's ROPA.
Manage privacy settings, including custom processing activity fields.
Common scenarios
Common scenarios
Give someone access to privacy assessments only: Create a custom role with Data Inventory set to view and edit and Privacy Settings set to no access.
Reports
Collaborators
Collaborators
Collaborators can access Reports through object assignments.
Object assignment | Permissions |
Report viewer | View the report and its report schedules. Cannot edit the report or share it with other users. |
Editors and Admins
Editors and Admins
Editors and Admins can:
View and edit all reports.
Duplicate and customize reports to create custom reports.
Manage access and share reports.
Create, edit, and delete report schedules.
Delete custom reports.
Common scenarios
Common scenarios
Give someone access to one report only: Share the report directly with any user Collaborator or higher. They'll get view-only access to that specific report and can view its schedules, but can't edit the report or share it with other users. Note that reports can't be shared with Employees or Trust Collaborators.
Give someone access to a report schedule: Users must already have access to the report before they can be added to a schedule. Share the report with them first, then add them to the schedule.
Risk
Collaborators
Collaborators
Collaborators can access Risk through object assignments.
Object assignment | Permissions |
Risk register viewer | View all scenarios and linked tasks in the register, search, filter, and export register data, and generate and export risk assessment reports. Cannot be selected as a risk assessment approver. |
Risk register manager | Everything a register viewer can do, plus edit scenarios and tasks, add and archive scenarios, move scenarios to another register, and assign scenario owners within their register. Can be selected as a risk assessment approver. |
Risk scenario owner | Edit the scenario, complete risk assessments, create and edit linked tasks, and approve risk assessments. Can be selected as a risk assessment approver. |
Risk task owner | View and update task details, add notes and upload files, mark complete, send reminders, change the due date, delete the task, and export. Cannot be selected as a risk assessment approver. |
Editors and Admins
Editors and Admins
Editors and Admins can:
View all risk registers, scenarios, and tasks across the organization.
Create, rename, delete, and manage access to registers.
Reassign scenario and task owners across the organization.
Archive or delete scenarios across the organization.
Create and manage risk snapshots and reports, including auditor sharing on snapshots.
Configure risk settings, including custom categories, custom fields, likelihood and impact scoring scales, risk levels, and auditor view.
Common scenarios
Common scenarios
Give someone access to a task and its parent risk: Assign them as a task owner and a register viewer on the relevant register.
Give someone access to one specific risk scenario: Assign them as the risk scenario owner on that scenario so they can complete the risk assessment without visibility into other risks.
Settings
Collaborators
Collaborators
Collaborators and above can access the Notifications, Language, and Interface pages in Settings. These pages are grouped under My Account. Collaborators can't access any other pages in Settings.
Editors and Admins
Editors and Admins
Editors can access most pages in Settings. Pages where Editors have view-only access or no access are noted in the table below:
Settings page | Editor | Admin |
Company > Notifications | ✅ Edit access | ✅ Edit access |
Company > Information | ✅ Edit access | ✅ Edit access |
Company > Billing | ❌ No access | ✅ Edit access |
Company > Language | ✅ Edit access | ✅ Edit access |
Company > Developer console | ❌ No access | ✅ Edit access |
Company > Webhooks | ❌ No access | ✅ Edit access |
Company > Tags | ✅ Edit access | ✅ Edit access |
Company > AI | ✅ Edit access | ✅ Edit access |
Access > User permissions | 👁️ View-only access | ✅ Edit access |
Access > Roles | 👁️ View-only access | ✅ Edit access |
Access > Teams | ✅ Edit access | ✅ Edit access |
Access > Login and security | 👁️ View-only access | ✅ Edit access |
Monitoring > Frameworks | ✅ Edit access | ✅ Edit access |
Monitoring > SLAs | 👁️ View-only access | ✅ Edit access |
ℹ️ Note: Pages grouped under Features contain settings for specific product areas. Editors typically have full access to these pages—any exceptions are noted in the relevant product area section of this article.
Common scenarios
Common scenarios
Delegate user management without full Admin access: This isn't currently possible—managing users, roles, and user provisioning are Admin-only actions.
Give Employees access to account settings: Employee roles can only access the following My Account pages: Language and Interface.
Vendors (TPRM)
Collaborators
Collaborators
Collaborators can't be granted access to Vendors through object assignments. Adding a Collaborator as a security owner or business owner on a vendor tracks responsibility but doesn't grant access to Vendors. Security owners must have a Collaborator role or higher. Business owners can be any user role, including Employee.
Editors and Admins
Editors and Admins
Editors and Admins can:
View and manage all vendors, including vendor details, assessments, findings and evidence, and owner assignments.
View and manage vendor settings.
Common scenarios
Common scenarios
Give someone access to a specific vendor only: This isn't possible since Vendors doesn't support object assignments. To give someone Vendors access, assign the Editor role or create a custom role with Vendors set to view and edit.