Roles & Permissions: What Each Role Can Do
PolicySuite uses role-based access control (RBAC) to ensure each user sees only the features and data relevant to their responsibilities. Assigning the right role to each team member is one of the most important setup decisions you'll make — it determines what they can create, view, approve, and distribute.
Role overview
| Role | Description | Key permissions |
|---|---|---|
| org_owner | Account owner, full access | Everything — billing, user management, all policies |
| org_admin | Organisation administrator | All policy operations, user management (cannot change billing) |
| compliance_admin | Compliance team lead | Create/edit/publish policies, manage distributions, view audit trail |
| policy_author | Policy writer | Create and edit policies (cannot publish without reviewer approval) |
| reviewer | Policy approver | Review and approve/reject policy drafts submitted for review |
| auditor | External or internal auditor | Read-only access to policies, acknowledgement records, audit logs; cannot edit anything |
| employee | End user | View and acknowledge policies assigned to them via distribution |
Assigning roles
You can assign or change a user's role at any time from the Team settings page:
- Go to Settings > Team
- Find the user in the list (use the search bar for large teams)
- Click the user's name to open their profile
- Click Change Role and select the new role from the dropdown
- The change takes effect immediately — the user's session is updated on their next page load
When inviting new team members via Settings > Team > Invite Member, you select their role before sending the invitation. They'll be assigned that role as soon as they accept and create their account.
Role limits and uniqueness
There is no cap on how many users can hold most roles — you can have as many policy_authors, reviewers, or employees as your subscription allows. The one exception is org_owner: only one user per organisation can hold this role at any time.
To transfer org_owner to a different user:
- Go to Settings > Team
- Click the target user
- Select Transfer Ownership
- Confirm the transfer — you'll be downgraded to org_admin automatically
Permission inheritance
Roles are ordered by permission scope. Higher roles inherit all permissions of the roles below them in the hierarchy:
- org_owner inherits all org_admin permissions
- org_admin inherits all compliance_admin permissions
- compliance_admin can create, edit, publish, and distribute policies
- policy_author can create and edit but not publish without approval
- reviewer can approve drafts but not create their own
- auditor sees everything but changes nothing
- employee accesses only their assigned policies via the employee portal
The auditor role in practice
The auditor role is designed for external auditors conducting ISO 27001, SOC 2, or similar assessments. You can invite an auditor with a temporary email address and they'll have read access to:
- All published policies and their version history
- Acknowledgement records and completion rates
- Distribution logs showing when policies were sent and to whom
- The immutable audit trail of all system activity
Auditors cannot modify, delete, or export data. When their engagement ends, remove their account from Settings > Team.
Still need help?
Email our support team at support@policy-suite.com — we typically respond within 24 hours.