Role-Based Access
Updated
by Gillian Langor
VISO TRUST uses four organization-level roles to control what users can see and do in the platform. Assign roles based on how each person participates in your third-party risk program. Compare the Admin, Program Manager, Contributor, and Viewer roles in VISO TRUST, plus the Business Owner and Assessment Lead relationship designations.
Roles
Admin
Full platform access. Can edit all relationships, manage all assessments, and edit program settings. Best for TPRM program owners who also administer the platform.
Program Manager
Can edit all relationships and manage all assessments. Can view — but not edit — program settings. Best for TPRM team leads who manage the full vendor portfolio without needing administrative control.
Contributor
Can view all relationships. Can edit and manage assessments only for relationships where they are assigned as Business Owner or Assessment Lead. Best for risk team members who own specific vendor relationships.
Viewer
View-only access across the platform. Can see relationships, assessments, risk metrics, and advisories — but cannot make any changes. Suited for executives, auditors, and stakeholders.
Relationship Designations
Business Owner and Assessment Lead are not roles — they are designations on a specific relationship. A user with any platform role can be designated on one or more individual relationships.
Business Owner
The Business Owner represents the internal stakeholder with business accountability for a vendor relationship. When a Contributor is assigned as Business Owner on a relationship, they gain full edit permissions for that relationship.
Assessment Lead
The Assessment Lead is the TPRM team member responsible for running the assessment day-to-day for a specific vendor. This designation gives that person a proper home distinct from the Business Owner — addressing the common pattern of repurposing the Business Owner field to track who's running the assessment.
What Assessment Lead can do on the assigned relationship:
- Upload and manage artifacts
- Edit relationship context (intake, scoping)
- Configure assessment settings
- Send reminders to vendors
- View risk analysis and assessment results
What Assessment Lead cannot do (these remain Admin-only):
- Change frameworks or controls
- Manage integrations
- Administer users or org settings
- Modify notification templates
- Access billing or account settings
Notifications
The notification settings page includes dedicated columns for Business Owner and Assessment Lead, each with independent toggles for assessment notifications, risk advisories, and other relationship-level alerts.
Permissions Reference
Relationships
| Action | Admin | Program Manager | Contributor | Viewer |
|---|---|---|---|---|
| Import relationships | Yes | Yes | No | No |
| View all relationships | Yes | Yes | Yes | Yes |
| Create relationship | Yes | Yes | No | No |
| Update relationship context | Yes | Yes | If BO or AL | No |
| Manage tags | Yes | Yes | If BO or AL | No |
| Subscribe / unsubscribe contacts | Yes | Yes | No | No |
| Add comments | Yes | Yes | If BO or AL | No |
| Delete own comments | Yes | Yes | Yes | No |
| Add / delete attachments | Yes | Yes | If BO or AL | No |
| Download attachments | Yes | Yes | Yes | Yes |
Relationship Lifecycle
| Action | Admin | Program Manager | Contributor | Viewer |
|---|---|---|---|---|
| Onboard relationship | Yes | Yes | No | No |
| Mark as not onboarded | Yes | Yes | No | No |
| Delete relationship | Yes | Yes | No | No |
| Update Business Owner | Yes | Yes | No | No |
| Update Assessment Lead | Yes | Yes | No | No |
Assessments
| Action | Admin | Program Manager | Contributor | Viewer |
|---|---|---|---|---|
| View assessments | Yes | Yes | Yes | Yes |
| Create assessment | Yes | Yes | If BO or AL | No |
| Cancel assessment | Yes | Yes | If BO or AL | No |
| Send reminder email | Yes | Yes | If BO or AL | No |
| Add artifacts | Yes | Yes | If BO or AL | No |
| Delete own artifacts | Yes | Yes | If BO or AL | No |
| Download artifacts | Yes | Yes | Yes | Yes |
Vendor assessment submission is performed by the vendor through their collection portal — not by any internal platform user. This is intentional and cannot be changed by any role.
Risk & Settings
| Action | Admin | Program Manager | Contributor | Viewer |
|---|---|---|---|---|
| View risk metrics | Yes | Yes | No | Yes |
| View program metrics | Yes | Yes | No | Yes |
| Generate risk advisory impact report | Yes | Yes | Yes | Yes |
| Artifact Intelligence | Yes | Yes | No | No |
| Questionnaires | Yes | Yes | No | No |
| VISO Chat | Yes | Yes | No | No |
| View program settings | Yes | Yes | No | No |
| Edit org profile | Yes | No | No | No |
| Edit notification settings | Yes | No | No | No |
| Manage and invite users | Yes | No | No | No |
| Configure integrations | Yes | No | No | No |
When assigning roles, start with Contributor for most risk team members and use Business Owner or Assessment Lead designations to grant relationship-level access where needed. Use Program Manager for those who manage the full vendor portfolio. Escalate to Admin only for users who need to configure org settings, manage users, or control integrations.