Table of Contents
Summary
Whistic's user permissions system allows you to control exactly what each user can see and do in the platform. This article explains the different permission types available and helps you assign the right access level for each user on your team.
Key Concepts:
- Primary Privileges work on their own and determine a user's main role
- Secondary Privileges are add-ons that give extra capabilities or provide limited access
- You can combine privileges to create the exact permission set each user needs
🔐 Understanding Privilege Types
Primary Privileges
These are standalone permissions that define a user's main role in Whistic. Each user needs at least one Primary Privilege.
Available Primary Privileges:
- Admin - Full access to everything
- Request Questionnaires - Request assessments from vendors
- Send Self-Assessment / Trust Center - Share your Trust Center with customers
- Answer Self-Assessment / Edit Trust Center - Complete questionnaires and edit your Trust Center
- Read Self-Assessment / Trust Center - View Trust Center content (read-only)
- View Vendor Assessments - See vendor assessment details and results
- Knowledge Base / AI - Access AI features like Smart Response and Vendor Smart Search
Secondary Privileges
These enhance Primary Privileges or provide limited standalone access.
Add-on Privileges (enhance Primary Privileges):
- Access Score Builder - Customize question weighting in questionnaires
- Review Vendor Assessments - Conduct reviews and set assessment status
- Add Vendors - Add vendors through the intake form
- Run Reports - Create and export custom reports
- Override Non-Disclosure Agreement - Bypass NDA requirements when sharing
- View Documents - Access documents on Trust Centers
Limited Access Privileges (can work alone):
- Edit Vendors - Update vendor details and assessment status
- View Vendors - See the vendor catalog list only
📋 Complete Privilege List
Primary Privileges
Admin
What it does: Full access to view and edit all Whistic content
Use this for:
- Your company's Whistic administrator
- Anyone who needs complete platform access
What users can do:
- Access all Admin Settings (User Management, Program Automation, Custom Intake Form, etc.)
- Bulk import/export vendors
- Manage issues
- Access all menu pages
- View all Trust Centers shared with your company (Assess (VRM) customers)
- See all questionnaires sent to your company (Trust Center customers)
SSO Attribute Value: WhisticAdmin
Request Questionnaires (Assessment Requester)
What it does: Request assessments from vendors
Use this for:
- Security analysts who need to request assessments
- Usually combined with Review Vendor Assessment
- Request access to Trust Centers containing questionnaires (even if approval not required)
What users can do:
- View vendor details in Assess > Vendors
- Request, reassign, and cancel questionnaires
- Set up Program Automation
- Request access to Trust Centers
What users cannot do:
- Access the Document Repository
- Start or view completed questionnaires (unless combined with other privileges)
Menu pages available: Dashboard, Questionnaires, Vendors, Trust Center Exchange
SSO Attribute Value: WhisticRequestQuestionnaires
Send Self-Assessment / Trust Center (Assessment Sender)
What it does: Share your Trust Center and completed questionnaires
Use this for:
- Sales or Security teams who share your Trust Center
- Usually combined with other Trust Center privileges
- Enable separate privilege to bypass NDA (Override Non-Disclosure Agreement)
What users can do:
- Share your company's Trust Center (including requests requiring approval)
- Share completed questionnaires individually
- View the list of Trust Centers they have shared
What users cannot do:
- View or download questionnaire content (combine with Read Self-Assessment for this)
- See Trust Center share data sent by other users
Menu pages available: Dashboard, Questionnaires, Shares, Trust Center
SSO Attribute Value: WhisticSendSelfAssessment
Answer Self-Assessment / Edit Trust Center (Assessment Respondent)
What it does: Create and edit new Trust Centers, along with completing questionnaires. For requests, users will need Send Self-Assessment Trust Center in order to share the information back.
Use this for:
- Security team members who maintain your Trust Center
- Allow the Security Team to answer requested questionnaires, but not share them
- Usually combined with Send Self-Assessment / Trust Center if you wish for them to share the information back
What users can do:
- Edit, copy, and create new Trust Centers
- Upload documents to Document Repository
- Set NDA requirements
- Complete questionnaires (but not share them unless combined with Send privilege)
- Download documents
Menu pages available: Dashboard, Questionnaires, Trust Center
SSO Attribute Value: WhisticAnswerSelfAssessment
Read Self-Assessment / Trust Center (Read Only Self Assessment)
What it does: View Trust Center content (read-only access) and self-assessments (questionnaires).
Use this for:
- Users who need to view Trust Center content but not edit it
- Can be combined with View Documents for full visibility
What users can do:
- View your company's Trust Center contents
- View (but not edit) questionnaires
- Export questionnaires
- Preview your Trust Center
What users cannot do:
- Edit any content
- View or download documents (unless combined with View Documents privilege)
- Share your Trust Center
- Use with Answer Self-Assessment / Edit Trust Center (these conflict)
Menu pages available: Dashboard (no data), Questionnaires, Trust Center
SSO Attribute Value: WhisticReadSelfAssessment
View Vendor Assessments (Assessment Viewer)
What it does: View vendor assessment details, questionnaires, reviewer comments, and CrowdConfidence scores.
Use this for:
- Compliance teams who need to verify assessments
- Usually combined with Review Vendor Assessments
What users can do:
- View vendor Trust Center details
- View and download from vendor Document Repository
- View completed vendor questionnaires
- Access reviewer comments and notes
- View CrowdConfidence Scores
Menu pages available: Dashboard, Vendors
SSO Attribute Value: WhisticViewVendorAssessment
Knowledge Base / AI
What it does: Access AI features (Knowledge Base & Smart Response) without admin permissions
Use this for:
- Users who should access AI features but not admin settings
- Sales or security team members who need Smart Response
What users can do:
- Access the Knowledge Base
- Use Smart Response to answer questionnaires (also requires Answer Self-Assessment / Edit Trust Center)
- Use Vendor Smart Search
- Create Vendor Summaries and SOC 2 Summaries
Menu pages available: Knowledge Base
SSO Attribute Value: WhisticKnowledgeBaseAndAI
Secondary Privileges - Add-Ons
Access Score Builder (Assessment Adjuster)
What it does: Customize how questions are weighted in questionnaires
Use this for:
- Users who need to customize CrowdConfidence Score calculations
- Usually given with Answer Self-Assessment / Edit Trust Center
What users can do:
- Create and edit question weighting in questionnaires
- Build custom scoring criteria
Menu pages available: Dashboard (no data), Questionnaires
SSO Attribute Value: WhisticScoreBuilder
Review Vendor Assessments (Vendor Assessment Reviewer)
What it does: Conduct vendor reviews and set assessment status (e.g., Approved, Completed)
Use this for:
- Security analysts who conduct and complete vendor assessments
What users can do:
- Send clarification questions to vendors
- Set vendor assessment status (Approved, In Progress, etc.)
- Create Review Wrap Up reports
- Export Review Summary as PDF
- Create, edit, view, and comment on issues
- Add vendor notes
Menu pages available: Dashboard, Vendor Catalog, Issue Management
SSO Attribute Value: WhisticReviewVendorAssessment
Add Vendors
What it does: Add vendors through the Vendor Intake Form
Use this for:
- Business users who need to submit vendor requests
What users can do:
- Access and submit the Vendor Intake Form
SSO Attribute Value: WhisticAddVendors
Run Reports
What it does: Create and export custom reports
Use this for:
- Senior roles who need data access without making changes
- Consider data scope before enabling
What users can do:
- Access the complete reporting suite
- Build and export custom reports
What users cannot do:
- View questionnaire-level details (like vendor answers)
Menu pages available: Dashboard (no data), Reporting
SSO Attribute Value: WhisticRunReports
Override Non-Disclosure Agreement (Override NDA)
What it does: Bypass NDA requirements when sharing Trust Centers
Use this for:
- Users who need to share Trust Centers without NDA requirements
What users can do:
- Allow Trust Center recipients to bypass NDA
- View complete list of Trust Center shares (when combined with Send Self-Assessments)
SSO Attribute Value: WhisticOverrideNDA
View Documents
What it does: View and download documents from Trust Centers
Use this for:
- Users who need to access compliance documents
What users can do:
- View and download documents from Trust Centers
SSO Attribute Value: WhisticViewDocuments
Secondary Privileges - Limited Access
Edit Vendors
What it does: Update vendor details and assessment status
Use this for:
- Users who need to update vendor information manually
- Usually combined with View Vendor Assessments and Review Vendor Assessments
What users can do:
- Edit vendor details (including notes)
- Change assessment status without conducting a review
- Merge vendors
Menu pages available: Dashboard, Vendors
SSO Attribute Value: WhisticEditVendors
View Vendors
What it does: View the vendor catalog list only (limited access)
Use this for:
- Company-wide visibility into approved vendors
- Users outside security who need to check vendor status
What users can do:
- View vendor catalog columns (Admins control what columns display)
What users cannot do:
- Access vendor profile pages
- View documents
- See detailed vendor information
Menu pages available: Vendor list only (vendor profiles and details not accessible)
SSO Attribute Value: WhisticReadVendorCatalog
⚙️ Setting Up SSO Permissions
You can automatically assign user permissions through your Identity Provider (IDP) using the SSO Attribute Value listed under each privilege in this article.
Learn how to set up SSO with permissions:
❓ FAQ
What's the difference between Primary and Secondary Privileges?
Primary Privileges are standalone permissions that define a user's main role (like Request Questionnaires or Admin). Secondary Privileges either enhance Primary Privileges with additional capabilities (like Review Vendor Assessments) or provide limited standalone access (like View Vendors).
Can I combine multiple privileges for one user?
Yes! You can combine any Primary Privilege with multiple Secondary Privileges to create the exact permission set each user needs. For example, a Senior Security Analyst might have Request Questionnaires (Primary) plus Review Vendor Assessments, Add Vendors, and Knowledge Base/AI (Secondary).
What's the most common permission set for security analysts?
The most common setup includes: Add Vendor, Edit Vendor, Review Vendor Assessment, View Vendor Assessment, View Vendor, View Documents, and Knowledge Base/AI. This allows them to manage the complete vendor assessment workflow.
Do Sales team members need Whistic permissions to share our Trust Center?
It depends on how they share it. If your Sales team uses the Salesforce Integration to share Trust Centers, they don't need Whistic permissions. If they share directly from Whistic, they need at minimum the Send Self-Assessment / Trust Center privilege.
What's the difference between "Answer Self-Assessment" and "Read Self-Assessment"?
"Answer Self-Assessment / Edit Trust Center" lets users create and edit Trust Center content and complete questionnaires. "Read Self-Assessment / Trust Center" is view-only access - users can see Trust Center content but cannot make any changes. These two privileges cannot be used together.
Can someone add vendors without the "Add Vendors" privilege?
Yes. Anyone in your organization can submit vendor requests through the External Request Form link, which is found in Assess Settings > Program Automation. The "Add Vendors" privilege gives users direct access to the Vendor Intake Form within Whistic.
Why does "Review Vendor Assessments" require "View Vendor Assessments"?
Review Vendor Assessments is an add-on privilege that enhances View Vendor Assessments. Users need to be able to view assessments (View privilege) before they can conduct reviews and make decisions about them (Review privilege).
What permissions do I need to use Smart Response?
You need both "Knowledge Base / AI" and "Answer Self-Assessment / Edit Trust Center" privileges. Knowledge Base/AI gives you access to the AI features, while Answer Self-Assessment lets you complete questionnaires where Smart Response is used.
How do I see how many AI feature credits my team has used?
Admins can view AI feature usage in Resources under the Plan Overview option. This shows all AI features covered by your license and current usage for each feature.
What if I need a privilege combination that isn't listed in the common roles?
The common roles section shows typical setups, but you can create any combination of privileges that works for your team. Review the Complete Privilege List to understand what each permission does, then combine them to match your specific needs.