Platform Overview

Role-Based Access Control

Manage who can see, edit, and administer your compliance program with fine-grained role assignments.

Updated March 20265 min read

On this page

Built-In Roles

ComplyWise ships with three built-in roles that cover the majority of compliance program needs. Each role inherits a specific set of permissions that control access to data, actions, and administrative functions. Roles are assigned per-user within a tenant.

  • Admin — Full access to all features including tenant settings, user management, integration configuration, and license management
  • Auditor — Read-only access to all compliance data, controls, evidence, and reports. Can export audit packages but cannot modify configurations
  • Member — Standard access to dashboards, frameworks, scans, and evidence upload. Cannot access admin or audit-specific features

Permission Model

Permissions are evaluated at the API layer on every request. The authenticated user's role is verified against the required permission for each endpoint. Role checks are enforced consistently across all routes.

  • Scans: Members and Admins can initiate; Auditors can view only
  • Evidence: Members and Admins can upload; all roles can view
  • Reports: All roles can generate and view
  • Settings: Admin-only for tenant configuration, integrations, and user management
  • Audit Log: Visible to Admins and Auditors

Assigning Roles

Roles are assigned when inviting a new user or by editing an existing user's profile in the admin panel. A user can hold exactly one role within a tenant. Role changes take effect promptly. Users may need to re-authenticate for the new role to apply.

  • Invite users by email with a pre-selected role
  • Change roles in Settings → Users for existing team members
  • Role changes logged in the audit trail
  • At least one Admin must exist per tenant

Auditor Access

The Auditor role is designed for external auditors performing SOC 2, ISO 27001, or other certification assessments. Auditors receive a dedicated view that shows compliance posture, control status, evidence artifacts, and downloadable audit packages. They cannot modify any data, ensuring audit integrity.

  • Dedicated auditor dashboard with focused compliance views
  • Read-only access to all frameworks, controls, and evidence
  • Export audit report data as structured JSON
  • Activity logged for auditor traceability

API Key Permissions

API keys inherit the permissions of the user who created them. When using service-to-service authentication, the API key carries the same role-based restrictions. We recommend creating dedicated service accounts with the minimum required role for automation and CI/CD integrations.

  • API keys scoped to the creating user's role and tenant
  • Separate API keys recommended for each integration
  • Key rotation supported without downtime
  • Revoked keys immediately invalidated
Multi-Tenant IsolationAudit Logging & Activity Feed
← Back to Documentation