Owner
Accountable executive or primary account owner.
Allowed
Everything: users, settings, controls, evidence, reports, submissions, billing, audit logs.
Not allowed
No product-level restriction.
Security
RBAC at a glance
A practical summary of which OneComply roles can view, edit, approve, submit, export, and audit compliance work.
Owner: Security TeamLast reviewed: 2026-05-29
Buyer summary
Nine roles. Tenant-scoped access. Audit logs restricted.
OneComply separates platform administration, compliance ownership, risk work, read-only board access, auditor review, and third-party evidence upload. Every API route evaluates the user's organisation and permission before returning data.
All API access is organisation-scoped
UI hides actions the role cannot perform
Server-side RBAC remains authoritative
Audit logs are not visible to general users
Most important rules
Who can view audit logs?
Owner, Administrator, Compliance Officer, and Auditor only.
Who can manage users?
Owner and Administrator have full user administration. Compliance Officer can operate compliance work but should not be used as a platform-admin substitute.
Who can submit reports?
Owner, Administrator, and Compliance Officer. Submission actions are permission-gated separately from report viewing.
Who is read-only?
Viewer and Auditor are read-only. Auditor gets audit-log visibility; Viewer does not.
Role guide
Use this section when deciding which role to assign to a teammate, auditor, board member, or vendor contact.
RBAC
Administrator
Operational platform admin.
Allowed
Everything the Owner can do, including user and settings administration.
Not allowed
No product-level restriction.
Compliance Officer
Compliance lead, DPO, regulatory owner.
Allowed
Manage compliance work, approve records, submit/export reports, and view/export audit logs.
Not allowed
Cannot broadly delete controls or vendors.
Risk Manager
ICT risk and vendor-risk owner.
Allowed
Manage vendors, risk assessments, incidents, evidence, attestations, and risk exports.
Not allowed
Cannot view/export raw audit logs or delete operational records.
Control Owner
Control or process owner.
Allowed
Update assigned controls, add evidence, create attestations, and raise incidents.
Not allowed
Cannot approve, assign, delete, or view raw audit logs.
Member
General contributor.
Allowed
Create incidents, upload evidence, update incidents, and read standard records.
Not allowed
Cannot approve, assign, delete, manage users, or view raw audit logs.
Viewer
Board or read-only stakeholder.
Allowed
Read dashboards and standard records, and export reports.
Not allowed
Cannot edit records or view/export raw audit logs.
Auditor
Internal or external audit reviewer.
Allowed
Read audit-relevant records and view/export audit logs and reports.
Not allowed
Cannot create, edit, approve, assign, or delete tenant records.
External Vendor
Third-party provider uploading requested evidence.
Allowed
Access only vendor/evidence workspace functions.
Not allowed
Cannot access controls, policies, incidents, reports, settings, or audit logs.
Need the exact matrix?
Technical RBAC reference
This public page is intentionally concise. The full action-by-entity matrix is internal-only and available to platform admins from Admin > Internal docs for security reviews, procurement questionnaires, and implementation checks.