Note: Currently, there are two experiences you may have: Classic and New. The steps for managing roles differ between experiences. Be sure to follow the correct instructions for your version.
Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Drata Experience.
Required role: Admin. Only Admins can assign, change, or remove roles.
How roles work
Drata uses role-based access control (RBAC) to give users access to specific areas of the platform based on their responsibilities.
Users can have multiple roles at the same time
Access is additive — when a user has multiple roles, they receive the combined permissions of all assigned roles
The Admin role supersedes all other roles — if a user is assigned Admin, their other roles become redundant
Some roles include read-only or restricted view access options.
Read-only access and restricted view
Some roles in Drata can be configured with additional access restrictions. Only Admins can configure these settings.
Read-only access
Read-only access allows a user to view, filter, and download data available to their role — but they cannot make edits, create records, or perform write actions of any kind.
Who it applies to: Any role can have read-only access enabled.
Default: Disabled — users have full read and write access by default.
Experience: Read-only is a toggle that Admins turn on or off per user in Role Administration.
Restricted view
Restricted view limits a user's access to only the items they own or are assigned to — instead of seeing everything available to their role.
Who it applies to: Control Managers and Risk Managers only.
Default: Disabled — users have full access by default.
Experience: Read-only is a toggle that Admins turn on or off per user in Role Administration.
Role | What restricted view limits |
Control Manager | Can only access controls they own or are assigned to for tasks or required approvals |
Risk Manager | Can only access risks they own or are assigned to for tasks |
Turn off restricted view to allow the user to access all controls or risks across the organization, not just the ones they are responsible for.
Before you assign a role
Before assigning any role, confirm the following:
The user must already exist in your Drata account. If they have not been invited yet, invite them first.
You must have the Admin role to assign, change, or remove roles.
Instructions for the New Experience ⬇️
Assign a role
Go to Settings → Role administration.
Select Assign role.
Search for and select the Personnel and the desired role.
Confirm the assignment.
Remove and reassign a user's role
Changing a role updates the user's access and permissions immediately. When you change a role, any objects (such as controls or tasks) that the user owned under their previous role are reassigned to you.
Go to Settings → Role administration.
Find and select the user.
Review the Assigned Roles section, which lists all roles currently assigned to the user.
If there are multiple roles, expand the role you want to change
Select the Remove and reassign button. Then, select the new role that you would like to assign.
Select Remove role to remove the role from the user.
As part of assigning or updating a role, you can configure read-only access or restricted view for roles that support these options.
Instructions for the Classic Experience ⬇️
Assign an Admin role
Navigate to the Settings section of your Drata account.
Go to Role Administration and select Admins.
Locate the colleague to whom you want to assign the admin role by searching for their name.
Assign the Admin Role to the selected user.
Important Notes: The user must already exist within your Drata account before admin rights can be granted. If the user has not been added, invite them to join the account first. Also, ensure that you have admin access yourself to make these role changes. Additionally, before assigning the Admin role, verify the email associated with the user account. Log in at app.drata.com to ensure the email is recognized within the system.
Change a person's role
Note: When you change a role, you are assigned the objects (like controls or tasks) that the previous owner loses access to due to the role change. You can verify what the user has access to under the 'Roles and responsibilities' column.
On the ‘Role Administration’ page, go to the role you would like to update, search for the name and select the ellipsis and then select 'Change roles'.
Then, on the confirmation modal, select the new role. If a certain role is not displayed, they may already been assigned that role.
Remove a user from a role
Note: When you remove a user from a role, you are assigned the objects (like controls or tasks) that the previous owner loses access to due to the role change. You can verify what the user has access to under the 'Roles and responsibilities' column.
On the ‘Role Administration’ page, go to the role you would like to remove the user from, enter the name, and select the ellipsis and then select 'Remove user'.