Home Admin Guide Compliance Module Role Management Guide

Role Management Guide

Last updated on Apr 03, 2026

Roles let account administrators control what non-admin users can see and do inside Humadroid. Every role is a named set of permissions that can be assigned to one or more users.

Key Concepts

Permission Actions

Each permission grants one or more actions on a resource type:

  • Read -- View and access resources

  • Create -- Create new resources

  • Update -- Modify existing resources

  • Delete -- Remove resources

  • Manage -- Full control (includes all actions above, plus any special actions)

Global vs. Project-Scoped Roles

  • Global roles apply account-wide. A user with a global "Compliance Manager" role can access all compliance projects they have permissions for.

  • Project-scoped roles are tied to a single compliance project. Permissions only apply within that project. Use these when a user should manage one project but not others.

Resource Types

Permissions are organized by resource type. The available types are:

  • Compliance Projects -- Creating, viewing, and managing compliance projects

  • Compliance Controls -- Viewing and managing controls within projects

  • Compliance Evidence -- Uploading, reviewing, and managing evidence

  • Compliance Documents -- Policies, procedures, and other compliance documents

  • Compliance Risks -- Risk register entries

  • Compliance Risk Snapshots -- Point-in-time risk snapshots

  • Compliance Assessments -- Audit and assessment records

  • ISMS Workbook -- ISO 27001 ISMS workbook, requirements, reviews, and objectives

  • Assets -- Physical asset tracking

  • Infrastructure Assets -- Infrastructure asset inventory

  • Business Continuity Processes -- BCP process management

  • Business Continuity Exercises -- BCP exercise management

  • Vendor Assessment -- Third-party vendor assessments

Built-In Role Templates

When a new account is created, Humadroid automatically creates two default roles:

Control Owner

Designed for users responsible for specific controls.

  • Compliance Controls -- Read, Update

Control Owners can view and update controls assigned to them. Evidence access is automatically inherited from control permissions -- if a user can update a control, they can also manage the evidence linked to that control.

Compliance Manager

Designed for users who oversee the compliance program.

  • Compliance Projects -- Read, Create, Update, Delete

  • Compliance Documents -- Read, Create, Update, Delete

Compliance Managers can fully manage projects and their associated documents. When this role is project-scoped, access is limited to the specific project.

Note for accounts created before April 3, 2026: The Compliance Manager role may be missing the "Compliance Documents" permission. An administrator can add it manually by editing the role and enabling Read, Create, Update, and Delete for "Compliance Documents".

Permission Inheritance

Some permissions are automatically inherited, so you don't need to grant them explicitly:

  • Control access grants Evidence access. If a user can read or update a control, they automatically get corresponding access to evidence linked to that control.

  • Control access grants Project read. If a user has permission on any control in a project, they can read the project itself.

  • Parent control access flows to subcontrols. Permissions on a parent control extend to its subcontrols.

  • Project access grants Document access. If a user has project-level permissions and document permissions on their role, they can access documents belonging to that project.

This means in many cases you only need to grant permissions at the project or control level, and related resources become accessible automatically.

Creating a Role

  1. Go to Settings > Roles & Permissions.

  2. Click Create Role.

  3. Enter a descriptive Role Name (e.g., "SOC 2 Auditor", "Security Lead").

  4. Optionally select a Project Scope to limit the role to a single project. Leave as "Global" for account-wide access.

  5. Under Permissions, check the actions you want to grant for each resource type.

  6. Under Assign Users, select one or more users.

  7. Click Create Role.

Editing a Role

  1. Go to Settings > Roles & Permissions.

  2. Click the role card you want to modify.

  3. Click Edit.

  4. Adjust permissions or user assignments as needed.

  5. Click Update Role.

Changes take effect immediately for all users assigned to the role.

Common Role Configurations

Auditor (Read-Only)

For external auditors or assessors who need to review but not modify:

  • Compliance Projects -- Read

  • Compliance Controls -- Read

  • Compliance Evidence -- Read

  • Compliance Documents -- Read

  • Compliance Risks -- Read

Project Lead

For a user who fully manages a single project (create as project-scoped):

  • Compliance Projects -- Read, Update

  • Compliance Controls -- Read, Create, Update, Delete

  • Compliance Evidence -- Read, Create, Update, Delete

  • Compliance Documents -- Read, Create, Update, Delete

  • Compliance Risks -- Read, Create, Update, Delete

Evidence Contributor

For users who submit evidence but don't manage controls:

  • Compliance Controls -- Read

  • Compliance Evidence -- Read, Create, Update

Important Notes

  • Admin users bypass all role checks. Admins always have full access to everything. Roles only affect non-admin users.

  • Project owners have implicit access. The user designated as a project's owner automatically gets manage-level access to that project's controls, evidence, and documents, regardless of their roles.

  • Roles are additive. If a user has multiple roles, they receive the union of all permissions. Permissions are never subtracted by adding a role.

  • Removing a role takes effect immediately. If you remove a user from a role, they lose those permissions on their next page load.