Table of Contents
Summary
This article provides ready-to-use permission combinations for common user roles in Whistic. Whether you're setting up your security team, sales team, or business users, you'll find the right permission set here.
Need more details about what each privilege does? See the complete User Privileges Reference Guide for detailed explanations of every permission.
🔐 Assess (VRM) Roles
These are common roles for teams using Whistic to assess and manage vendor risk.
Admin
Who needs this: Your Whistic administrator
Permissions:
- Admin
What they can do:
- Everything in the platform
- Manage all settings and users
- Access all vendor and assessment data
SSO Attribute Value: WhisticAdmin
Senior Security Analyst/Manager
Who needs this: Team members who manage the complete vendor assessment process (most common role)
Permissions:
- Add Vendor
- Edit Vendor
- Review Vendor Assessment
- View Vendor Assessment
- View Vendor
- View Documents
- Knowledge Base/AI
What they can do:
- Add new vendors through the intake form
- Update vendor details and assessment status
- Conduct vendor assessments and issue results
- View all vendor information and documents
- Use AI features like Vendor Smart Search, Vendor Summaries, and SOC 2 Summaries
SSO Attribute Values:
WhisticAddVendorsWhisticEditVendorsWhisticReviewVendorAssessmentWhisticViewVendorAssessmentWhisticReadVendorCatalogWhisticViewDocumentsWhisticKnowledgeBaseAndAI
Security Analyst
Who needs this: Team members who conduct vendor assessments
Permissions:
- Request Questionnaires
- Review Vendor Assessment
- View Vendor Assessment
- View Vendor
- Knowledge Base/AI
What they can do:
- Request questionnaires from vendors
- Conduct vendor assessments and issue results
- View vendor details and assessment information
- Use AI features like Vendor Smart Search, Vendor Summaries, and SOC 2 Summaries
SSO Attribute Values:
WhisticRequestQuestionnairesWhisticReviewVendorAssessmentWhisticViewVendorAssessmentWhisticReadVendorCatalogWhisticKnowledgeBaseAndAI
Business Sponsor
Who needs this: Business users who need to submit vendor requests and check status
Permissions:
- Add Vendor
- View Vendor
- Knowledge Base/AI
What they can do:
- Submit new vendor requests through the intake form
- View the vendor catalog to check status
- Use AI search features like Vendor Smart Search
SSO Attribute Values:
WhisticAddVendorsWhisticReadVendorCatalogWhisticKnowledgeBaseAndAI
Compliance Reviewer
Who needs this: Compliance team members who need to verify assessments without conducting them
Permissions:
- View Vendor Assessment
- View Vendor
- View Documents
What they can do:
- View completed vendor assessments and results
- Access vendor documents and questionnaire responses
- View reviewers comments and notes
SSO Attribute Values:
WhisticViewVendorAssessmentWhisticReadVendorCatalogWhisticViewDocuments
🏛️ Trust Center Roles
These are common roles for teams using Whistic to share their security posture with customers.
Admin
Who needs this: Your Whistic administrator
Permissions:
- Admin
What they can do:
- Everything in the platform
- Manage all settings and users
- View all Trust Centers shared with your company
- See all questionnaires sent to your company
SSO Attribute Value: WhisticAdmin
Trust Center Owner
Who needs this: Security team members who manage and maintain your Trust Center
Permissions:
- Answer Self-Assessment / Edit Trust Center
- Send Self-Assessment / Trust Center
- Read Self-Assessment / Trust Center
- Override Non-Disclosure Agreement
- Knowledge Base / AI
What they can do:
- Create, edit, and manage your Trust Center
- Complete customer questionnaires
- Share your Trust Center with customers
- Bypass NDA requirements when needed
- Use Smart Response to answer questionnaires with AI assistance
SSO Attribute Values:
WhisticAnswerSelfAssessmentWhisticSendSelfAssessmentWhisticReadSelfAssessmentWhisticOverrideNDAWhisticKnowledgeBaseAndAI
Trust Center Editor
Who needs this: Security team members who complete questionnaires but don't share them
Permissions:
- Answer Self-Assessment / Edit Trust Center
- Read Self-Assessment / Trust Center
- Knowledge Base / AI
What they can do:
- Edit your Trust Center content
- Complete customer questionnaires
- Use Smart Response to answer questionnaires with AI assistance
What they cannot do:
- Share your Trust Center with customers (requires Send Self-Assessment / Trust Center)
SSO Attribute Values:
WhisticAnswerSelfAssessmentWhisticReadSelfAssessmentWhisticKnowledgeBaseAndAI
Sales Team
Who needs this: Sales representatives who share your Trust Center with prospects
Permissions:
- Read Self-Assessment / Trust Center
- Send Self-Assessment / Trust Center
- Knowledge Base / AI
What they can do:
- View your Trust Center content
- Share your Trust Center with customers
- Use AI features for quick answers to customer questions
What they cannot do:
- Edit Trust Center content or complete questionnaires
SSO Attribute Values:
WhisticReadSelfAssessmentWhisticSendSelfAssessmentWhisticKnowledgeBaseAndAI
Sales Team with Document Access
Who needs this: Sales representatives who need to view compliance documents when working with customers
Permissions:
- Read Self-Assessment / Trust Center
- Send Self-Assessment / Trust Center
- View Documents
- Knowledge Base / AI
What they can do:
- View your Trust Center content and documents
- Share your Trust Center with customers
- Download and reference compliance documents
- Use AI features for quick answers to customer questions
SSO Attribute Values:
WhisticReadSelfAssessmentWhisticSendSelfAssessmentWhisticViewDocumentsWhisticKnowledgeBaseAndAI
⚙️ How to Assign Permissions
Option 1: Assign Permissions Manually in Whistic
- Go to Settings > User Management
- Find the user or click Add User
- Select the permissions from the list that match their role
- Save changes
Option 2: Automate with SSO
Set up automatic permission assignment through your Identity Provider:
Use the SSO Attribute Values listed under each role above to map permissions in your IDP.
❓ FAQ
I don't see the exact role I need. What should I do?
These are the most common permission combinations, but you can create custom combinations to fit your needs. Review the complete User Privileges Reference Guide to understand what each permission does, then combine them to create the exact role you need.
Can one person have multiple roles?
Not exactly. Each user has one set of permissions, but you can combine permissions from different roles. For example, if someone needs to both conduct assessments (Security Analyst) and add vendors (Business Sponsor), you can give them all the permissions from both roles combined.
What's the difference between "Trust Center Owner" and "Trust Center Editor"?
Trust Center Owners can both edit and share your Trust Center with customers. Trust Center Editors can only edit content and complete questionnaires - they cannot share with customers. Use Editor permissions when you want someone to maintain content but not have customer-facing responsibilities.
Do I need to give everyone Knowledge Base/AI permissions?
No, only give this to users who will actively use AI features like Smart Response, Vendor Smart Search, or AI Summaries. This helps you manage your AI usage and license allocation.
My Sales team uses the Salesforce Integration. Do they still need Whistic permissions?
If they only share Trust Centers through Salesforce, they don't need Whistic permissions. However, if you want them to access Knowledge Base features or answer customer questions using AI, you should give them the Sales Team permissions listed above.
What if I want to give someone view-only access to everything?
Combine these permissions: View Vendor Assessment, View Vendor, View Documents, and Read Self-Assessment / Trust Center. This gives comprehensive read-only access across the platform.
How do I know which SSO Attribute Value to use?
Each permission has its own SSO Attribute Value. When setting up a role in your IDP, you'll need to include all the SSO Attribute Values for that role's permissions. For example, the Senior Security Analyst/Manager role needs 7 different attribute values.
Can I change someone's permissions after they're already set up?
Yes! You can modify user permissions at any time in Settings > User Management. Changes take effect immediately. If you're using SSO, update the permissions in your IDP and the changes will sync when the user next logs in.
What happens if I give someone conflicting permissions?
Some permissions cannot be used together. For example, "Answer Self-Assessment / Edit Trust Center" and "Read Self-Assessment / Trust Center" conflict because one allows editing and one is read-only. Whistic will grey out the other option when selecting the roles so that should be a helpful hint they cannot be combined