Roles & Permissions

ConcertoGRC uses role-based access control. Each user is assigned a single role that determines what they can see and do within the platform.

Tenant Roles

These roles apply to users within an organization:

Role	Description
Tenant Admin	Full organizational control — manage all settings, users, data, and configurations
Tenant User	Standard read/write access to compliance data — create and edit records, upload evidence, view reports
Tenant Auditor	Read-only access for audit and review purposes — view and export data, cannot create or edit
Tenant Executive	Dashboard-focused access for leadership visibility — view dashboards and high-level reports

Permission Matrix

Action	Admin	User	Auditor	Executive
View dashboards	✓	✓	✓	✓
Read all data	✓	✓	✓	—
Create/edit records	✓	✓	—	—
Delete records	✓	—	—	—
Generate reports	✓	—	—	—
Export data	✓	✓	✓	—
Manage users	✓	—	—	—
Configure settings	✓	—	—	—
Manage integrations	✓	—	—	—

Platform Roles

These roles are for Concerto team members who operate the platform:

Role	Description
Concerto Super Admin	Full platform access — manage all tenants, platform configuration, master frameworks
Concerto Team	Platform operations — access tenant data, run migrations, manage integrations

Platform roles can switch between tenant organizations using the organization switcher in the sidebar.

Module-Specific Roles

Some modules have additional role concepts beyond the standard tenant roles:

Module	Additional Roles
Customer Commitments	Compliance Reviewer (triage), Legal Approver (approval workflow)
Assessments	Audit firm users have separate roles — Firm Admin and Firm User
Tabletop Exercises	Participants with Facilitator, Observer, or Player roles

Assigning Roles

Tenant administrators manage user roles from Administration → Users. Select a user and update their role in the detail panel. Role changes take effect immediately.