Roles & Permissions
Governy uses role-based access built around separation of duties. What each person can see and do is decided by the role they hold — and roles are assigned per workspace, so the same person can have different responsibilities in different places.
Key principles
- Roles are per workspace — someone can be an Analyst in one workspace and a Reader in another.
- Admin is global — administrators have full access across the whole platform.
- No spillover between workspaces — access is always checked against the workspace you’re working in.
- A clean interface — people only see the actions they’re allowed to take; everything else is simply hidden.
The roles
Admin
Global, unrestricted access. The only role that can create or remove workspaces, manage all users, add frameworks and open Settings.
Domain Manager
Full management within their assigned workspace — but can’t create new workspaces, manage users platform-wide or change a workspace’s structure. Ideal for compliance team leads and workspace owners.
Analyst
Can view everything and write assessments, measures and evidence, but can’t approve — keeping the people who write assessments separate from those who validate them. Ideal for compliance analysts, consultants and internal auditors.
Approver
Reads all content and approves or rejects assessments, but doesn’t write them. Ideal for management sign-off, external reviewers and second-line risk functions.
Auditee
For the people being audited. They can view assessments and provide evidence, but can’t change results or approve. Ideal for IT managers, process owners and department heads who supply proof.
Reader
Read-only access to everything in scope. Ideal for executives, board members and external stakeholders.
What each role can do
| Capability | Admin | Domain Manager | Analyst | Approver | Auditee | Reader |
|---|---|---|---|---|---|---|
| View content | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit assessments | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Provide evidence | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
| Approve / reject | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ |
| Manage the team | ✓ | ✓ (own) | ✗ | ✗ | ✗ | ✗ |
| Manage workspaces & users | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
People with more than one role
When someone holds different roles in different workspaces, Governy always applies the role for the workspace they’re currently in — never a mix. For example, an Analyst in one workspace who is an Approver in another can edit assessments in the first and approve them in the second, and the interface reflects that in each place.
Locked audits
Locking an audit is separate from roles: when an audit is locked, assessment editing is paused for everyone, a banner explains why, approvers can still approve or reject, and auditees can still provide evidence.
Helpful guidance instead of error pages
Rather than blunt “access denied” pages, Governy guides people: someone with no workspace sees a friendly prompt to contact their administrator, actions they can’t take simply don’t appear, and restricted areas redirect to the Dashboard.