Full access. Manages users, roles, teams, app settings, taxonomies, integrations, metadata, workflows, notifications, retention & backups. Can impersonate for troubleshooting (audit-logged) and configure SSO.

Create/edit policies, standards, control frameworks, mappings to regulations. Own audits, assessments, findings, and attestation workflows. Approve/reject bulletins and publish to audience.

Create/edit risks, risk assessments, treatments, KRIs, risk acceptance. Link risks to controls and issues. Provide control effectiveness input and evidence.

Respond to tasks, evidence requests, attestations. View assigned controls, issues, projects. Create issues/incidents and upload evidence; limited edit rights to their scope.