💡 Still using the classic Drata experience? Refer to Role Administration & RBAC for the original UI.
Admins can assign one or more roles to a user. Each role grants access to specific areas of the workspace.
Note: Admins have full read and write access across all areas of the workspace.
How roles work
Roles are predefined access bundles
Users can have multiple roles
Access is additive
Some roles provide read-only or restrictive access/view
Roles and descriptions
Use this section to decide which Drata role best fits a user’s responsibilities.
Roles and descriptions table
The following table outlines general page permissions. It does not include Settings or My Drata pages. Please review the following bullet points for more information.
🔒 Admin-only actions Only Admins can grant remote access to Drata Support.
Only Admins, Information Security Lead, and Workspace Manager can grant remote access to the Drata Support team.
In general, Organization settings are Admin-only.
However, some settings under the Organization section are accessible to specific roles based on responsibility. These exceptions are intentional:
Workflows: Accessible to Workspace Managers
Personnel Compliance > Human Resources: Accessible to Personnel Compliance Managers
Ticket Automation: Accessible to DevOps Engineers
All roles expect risk register owner can access the My Drata page to view their own information and activity.
All roles can access and manage their personal settings, such as notifications and language preferences.
Role | Description | Pages Available to Access |
|
Admin | Full access to all areas. Can manage users and roles. | All Pages |
|
Access Reviewer | Reviews and validates user access to ensure appropriate permissions and least-privilege access. | Access Review page |
|
Control Manager | Maintains controls, supporting evidence, and control-related tasks. | Control page |
|
DevOps Engineer | Manages technical integrations, monitoring, and infrastructure-related evidence and findings. | Monitoring > Compliance as Code |
|
Information Security Lead | Manages security posture, controls, evidence, and security reporting across the workspace. | Assets page |
|
Knowledge Base | Manages and maintains internal knowledge base content and documentation. | Open Knowledge Base |
|
Personnel Compliance Manager | Manages personnel-related compliance tasks, employee status, and onboarding and off-boarding workflows. | Personnel page |
|
Policy Manager | Creates, updates, publishes, and manages company policies. | Policies page |
|
Risk Manager | Manages risk assessments, risk treatment, and ongoing risk management activities. | All the Risks pages |
|
Risk Register Owner | Owns and maintains the risk register, including creating, updating, and tracking risks. | Most of all Risks pages |
|
Workspace Manager | Manages day-to-day workspace configuration, including assets, vendors, integrations, and operational setup. | Access Review page |
|
Internal Auditor | Reviews audit evidence, controls, and compliance status for internal audit purposes. | Audit Hub (only Internal Auditor pages) |
|