Role-based access control (RBAC) allows admin roles to assign personnels to roles that fit their specific needs. Each role has access to different features within the Drata application, so it's important to know which role you have. Find your role at Drata.
Find your assigned role
To find your assigned role, check your email that has your login credentials or an email with the subject line 'You have been added as'. The email subject line indicates your role and the content provides additional details about your role.
Available roles
Admins and Guest administrators. Guest administrators have the same permissions as admins. To learn more, go to Admins overview.
Only Admins have access to the Role Administration page and are the only users who can assign users to roles, change role assignments, or remove users from roles.
Information security leads. To learn more, go to Information security leads overview.
Control managers. To learn more, go to Control managers overview.
Personnel compliance managers. To learn more, go to Personnel compliance managers overview.
Policy managers. To learn more, go to Policy Managers overview.
Risk managers. To learn more, go to Risk managers overview.
Workspace managers. To learn more, go to Workspace managers overview.
Access reviewers. To learn more, go to Access reviewers overview.
Roles and Permissions
The sections below specify the permissions for each of Drata’s predefined roles. The ✅ under each role indicates the role has access to the permission.
If a person is assigned a role with Read-only access, they can view the data but not modify it.
For those using Drata prior to September 2023, the 'Tech Governance Team' has been renamed to 'Information security leads'. The permissions for the role remain the same.
Permission | Description | Admin | Information Security Leads | Risk Managers | Workspace Managers | Control Managers | Personnel Compliance Managers | Policy Managers |
Assets: Assets page | Read lets people view the list of assets and their details. Write lets them edit vendor details and complete report reviews. | ✅ | ✅ |
| ✅ |
|
|
|
Audit Hub: Audit Hub page | Read lets people view the page, which shows all active and completed audits, and download pre-audit packages. There’s no write access. | ✅ |
|
| ✅ |
|
|
|
Audit Hub: Auditor List page | Read lets people view the Auditor List, which shows auditors your organization has worked with in Drata. Write lets them add or delete auditor profiles from the auditor list. | ✅ |
|
| ✅ |
|
|
|
Audit Hub: Audit pages | Read lets people view individual audit pages, including requests, assigned auditors, and audit resources. Write lets them assign auditors, work on auditor requests, change request status, and create audits in Audit Hub. Other write permissions are usually required to complete requests. | ✅ |
|
| ✅ |
|
|
|
Company Settings: Company Info page | Read lets people view the Company Info page. Write lets them edit details. | ✅ |
|
|
|
|
|
|
Company Settings: Key Personnel Info page | Read lets people view the Key Personnel Info page. Write lets them edit details. | ✅ |
|
|
|
|
|
|
Company Settings: Language page | Read lets people view the Language (default) page. Write lets them change it. People can always change their own language setting. | ✅ |
|
|
|
|
|
|
Company Settings: Role Administration page | Read lets people view the Role Administration page. Write lets them assign people to roles. | ✅ |
|
|
|
|
|
|
Company Settings: Human Resources page | Read lets people view the Human Resources page. Write lets them edit details. | ✅ |
|
|
|
| ✅ |
|
Company Settings: Internal Security page | Read lets people view the Internal Security page. Write lets them edit settings. | ✅ |
|
|
|
|
|
|
Company Settings: Notifications page | Read lets people view the Notifications page. Write lets them create, edit, and delete automated notifications for the organization. | ✅ |
|
|
|
|
|
|
Company Settings: Ticket Automation page | Read lets people view the Ticket Automation page. Write lets them create edit, and delete ticket rules. | ✅ |
|
|
|
|
|
|
Company Settings: Vendor Questionnaire page | Read lets people view the Vendor Questionnaire page and individual questionnaires. Write lets them create, edit, and delete questionnaires. | ✅ |
|
|
|
|
|
|
Company Settings: API Keys page | Read lets people view the API Keys page and API documentation. Write lets them create new API keys. | ✅ |
|
|
|
|
|
|
Connections: Connections page | Read lets people view the page, which shows active and available connections. Write lets them add, edit and delete connections. | ✅ |
|
| ✅ |
|
|
|
Connections: Manage Accounts | Read lets people view the connected infrastructure, observability, and version control accounts. Write lets them manage the accounts. | ✅ | ✅ |
| ✅ |
|
|
|
Connections: View Findings | Read lets people view results from the connected vulnerability scanning. Write lets them resync the connected vulnerability scanning. | ✅ | ✅ |
| ✅ |
|
|
|
Controls: Controls page | Read lets people view the Controls page, including all controls and their details. Write lets them edit details, change the scope of controls, create controls, and be assigned as a control owner. | ✅ | ✅ |
| ✅ | ✅ |
|
|
Dashboard: Dashboard page | Provides the most essential alerts, trends, and tasks needed to give a holistic view of your organization’s risk and compliance posture. There’s no write access. | ✅ | ✅ |
| ✅ |
|
|
|
Event Tracking: Event Tracking page | Read lets people view all events, their details, and download raw evidence. There’s no write access. | ✅ | ✅ |
| ✅ | ✅ |
|
|
Evidence Library: Evidence Library page | Read lets people view all evidence uploaded and their details. Write lets them edit details and add evidence to the Evidence Library. | ✅ | ✅ |
| ✅ | ✅ |
|
|
Frameworks: Frameworks page | Read lets people view the Frameworks page, individual framework pages, requirements, and details. Write lets them modify requirements, change scopes, and create custom frameworks. | ✅ | ✅ |
| ✅ |
|
|
|
Help: Remote access permission | Write lets people grant or revoke remote support access for all personnel in the Help menu. | ✅ | ✅ |
| ✅ |
|
|
|
Monitoring: Monitoring page | Read lets people view the Monitoring page, including all tests, their details, and raw test evidence. Write lets them run tests, manage test notification preferences, and map controls to tests. Mapping controls requires Controls page write permission. | ✅ | ✅ |
| ✅ | ✅ |
|
|
My Settings: Notifications page | Read lets people view their notifications. Write lets them turn on/off their notifications. | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
My Settings: Language page | Read lets people view their language preference. Write lets them set their language preference. | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Personnel: Personnel page | Read lets people view the Personnel page, the personnel list, status, and details. Write lets them edit personnel details and take actions related to personnel. | ✅ | ✅ |
| ✅ |
| ✅ |
|
Policy Center: Policy Center page | Read lets people view all policies and download them. Write lets them create policies, edit policies details, take actions based on responsibility, and adjust related notifications in personal settings. | ✅ | ✅ |
| ✅ |
|
| ✅ |
Quick Start: Quick Start page | At the start of your Drata journey, you will work through each step within the Quick Start Guide in order to prepare to onboard your employees and configure the system for your compliance journey. | ✅ |
|
|
|
|
|
|
Risk Assessment: Risk Assessment page | Read lets people view status for all assessment sections. Write lets them complete assessments and assign others who also have Risk Assessment page write permission. | ✅ | ✅ | ✅ | ✅ |
|
|
|
Risk Management: Risk Management page | Read lets people view risks, insights, and the details of both. Write lets them edit risks, add and treat risks, create tickets, assign risk owners, and map controls to risks. Mapping controls requires Controls page write permission. | ✅ |
| ✅ | ✅ |
|
|
|
Security Report: Security Report page | Read lets people view and download the security report to share with potential customers, auditors or board members. Write lets them edit the security report settings and turn on/off sharing of the report. | ✅ | ✅ |
|
|
|
|
|
Tasks: General | Read lets people view general tasks. Write lets people edit details about the task and mark the task complete. | ✅ | ✅ |
| ✅ | ✅ |
|
|
Tasks: Controls | Read lets people view control tasks. Write lets people edit details about the task and mark the task complete. | ✅ | ✅ |
| ✅ | ✅ |
|
|
Tasks: Evidence renewals | Read lets people view evidence renewal tasks based on the evidence renewal date. Write lets people manage the evidence itself. | ✅ | ✅ |
| ✅ | ✅ |
|
|
Tasks: Policy renewals | Read lets people view policy renewal tasks based on the policy renewal date. Write lets people manage the policy itself. | ✅ | ✅ |
| ✅ |
|
| ✅ |
Tasks: Vendor reminders | Read lets people view vendor reminder tasks based on the reminder date. Write lets people manage the vendor itself. | ✅ | ✅ |
| ✅ |
|
|
|
Trust Center: Trust Center page | Read lets people view the Trust Center page, incoming access requests, and domains that have access. Write lets them manage access requests and domain. | ✅ | ✅ |
| ✅ |
|
|
|
Trust Center: Trust page editor | Write lets people customize the Trust page. | ✅ | ✅ |
| ✅ |
|
|
|
Trust Center: Trust page settings | Read lets people access and view Trust Center settings. Write lets them edit Trust Center settings. | ✅ | ✅ |
| ✅ |
|
|
|
Vendors: Vendors page | Read lets people view the list of vendors and their details. Write lets them edit vendor details, complete report reviews, and add vendors. | ✅ | ✅ | ✅ | ✅ |
|
|
|
Want to know more about the Workspace Manager role? Learn more here.
Want to know more about the Guest Administrator role? Learn more here.