Role-Based Access

Gillian Langor Updated by Gillian Langor

VISO TRUST uses four organization-level roles to control what users can see and do in the platform. Assign roles based on how each person participates in your third-party risk program. Compare the Admin, Program Manager, Contributor, and Viewer roles in VISO TRUST, plus the Business Owner and Assessment Lead relationship designations.

Roles

Admin
Full platform access. Can edit all relationships, manage all assessments, and edit program settings. Best for TPRM program owners who also administer the platform.

Program Manager
Can edit all relationships and manage all assessments. Can view — but not edit — program settings. Best for TPRM team leads who manage the full vendor portfolio without needing administrative control.

Contributor
Can view all relationships. Can edit and manage assessments only for relationships where they are assigned as Business Owner or Assessment Lead. Best for risk team members who own specific vendor relationships.

Viewer
View-only access across the platform. Can see relationships, assessments, risk metrics, and advisories — but cannot make any changes. Suited for executives, auditors, and stakeholders.

Relationship Designations

Business Owner and Assessment Lead are not roles — they are designations on a specific relationship. A user with any platform role can be designated on one or more individual relationships.

Business Owner

The Business Owner represents the internal stakeholder with business accountability for a vendor relationship. When a Contributor is assigned as Business Owner on a relationship, they gain full edit permissions for that relationship.

Assessment Lead

The Assessment Lead is the TPRM team member responsible for running the assessment day-to-day for a specific vendor. This designation gives that person a proper home distinct from the Business Owner — addressing the common pattern of repurposing the Business Owner field to track who's running the assessment.

What Assessment Lead can do on the assigned relationship:

  • Upload and manage artifacts
  • Edit relationship context (intake, scoping)
  • Configure assessment settings
  • Send reminders to vendors
  • View risk analysis and assessment results

What Assessment Lead cannot do (these remain Admin-only):

  • Change frameworks or controls
  • Manage integrations
  • Administer users or org settings
  • Modify notification templates
  • Access billing or account settings
Business Owner and Assessment Lead grant the same relationship-level permissions to a Contributor. Each relationship can have a different person in each designation — the two are fully independent. All assignment changes are captured in the audit trail.

Notifications

The notification settings page includes dedicated columns for Business Owner and Assessment Lead, each with independent toggles for assessment notifications, risk advisories, and other relationship-level alerts.

Permissions Reference

In the tables below, **"If BO or AL"** means the action is available only on relationships where the Contributor is assigned as Business Owner or Assessment Lead.

Relationships

Action Admin Program Manager Contributor Viewer
Import relationships Yes Yes No No
View all relationships Yes Yes Yes Yes
Create relationship Yes Yes No No
Update relationship context Yes Yes If BO or AL No
Manage tags Yes Yes If BO or AL No
Subscribe / unsubscribe contacts Yes Yes No No
Add comments Yes Yes If BO or AL No
Delete own comments Yes Yes Yes No
Add / delete attachments Yes Yes If BO or AL No
Download attachments Yes Yes Yes Yes

Relationship Lifecycle

Action Admin Program Manager Contributor Viewer
Onboard relationship Yes Yes No No
Mark as not onboarded Yes Yes No No
Delete relationship Yes Yes No No
Update Business Owner Yes Yes No No
Update Assessment Lead Yes Yes No No

Assessments

Action Admin Program Manager Contributor Viewer
View assessments Yes Yes Yes Yes
Create assessment Yes Yes If BO or AL No
Cancel assessment Yes Yes If BO or AL No
Send reminder email Yes Yes If BO or AL No
Add artifacts Yes Yes If BO or AL No
Delete own artifacts Yes Yes If BO or AL No
Download artifacts Yes Yes Yes Yes

Vendor assessment submission is performed by the vendor through their collection portal — not by any internal platform user. This is intentional and cannot be changed by any role.

Risk & Settings

Action Admin Program Manager Contributor Viewer
View risk metrics Yes Yes No Yes
View program metrics Yes Yes No Yes
Generate risk advisory impact report Yes Yes Yes Yes
Artifact Intelligence Yes Yes No No
Questionnaires Yes Yes No No
VISO Chat Yes Yes No No
View program settings Yes Yes No No
Edit org profile Yes No No No
Edit notification settings Yes No No No
Manage and invite users Yes No No No
Configure integrations Yes No No No

When assigning roles, start with Contributor for most risk team members and use Business Owner or Assessment Lead designations to grant relationship-level access where needed. Use Program Manager for those who manage the full vendor portfolio. Escalate to Admin only for users who need to configure org settings, manage users, or control integrations.

How did we do?

Notifications & alerts

Contact