Understanding User Roles & Permissions

Defining User Access, Permissions, and AI Capabilities in Trustero

Overview

Trustero provides different user roles to ensure the right level of access based on responsibilities. This guide outlines what each role can see, modify, and access within the platform.

User Roles & Permissions

Read-Only Users

• Purpose: For users who need visibility but should not make changes.
• Permissions:
  • Can view all  governance, risk and compliance (GRC)-related information.
  • Cannot make edits, create new records, or trigger AI-driven actions.
  • Ideal for stakeholders who require insight but do not participate in daily compliance tasks.

Auditor Users

• Purpose: Designed for third-party auditors invited to conduct an audit.
• Permissions:
  • Can create and edit document requests.
  • Can change control status.
  • Everything else remains read-only.
• Optional AI Access: Trustero Admins can choose to enable AI Q&A access for auditors. When this option is turned on:
  • Auditors can use the AI Q&A feature to ask follow-up questions
  • They can review control-related information in real time
  • They can clarify gaps without relying on email or internal outreach
• Restrictions: Auditors by-default do not have access to:
  • The Compliance Roadmap.
  • Anything in the Analyze menu (Audit scans, Questionnaires, SOC 2 report scans).
  • Audit scan control check results (including control pages, reports, and CSV downloads).
  • Any audits except the specific one they are invited to.

Standard Users

• Purpose: GRC practitioners responsible for implementing and maintaining controls.
• Permissions:
  • Can create, edit, and manage compliance data.
  • Can run AI-powered compliance checks.
  • Can update policies, controls, and evidence.
• Restrictions: Cannot modify system settings or manage user accounts.

Trustero Admin Users

• Purpose: Users with full administrative control over the Trustero platform.
• Permissions:
  • Bulk update or replace controls across the account.
  • Manage company settings:
    • Edit the continuous compliance date limit.
    • Enable/disable image timestamp validation.
    • Configure control assurance examination & testing schedules.
  • Monitor AI Usage:
    • Access AI Consumption metrics under Settings > AI Usage.
  • Manage users:
    • Invite new users.
    • Modify user roles.
    • Remove users from the account.
  • Receive notifications:
    • Scheduled audit scan alerts.
    • Invalid receptor credential warnings.

Assigning & Managing User Roles

Adding a New User

1. Navigate to Settings > Users, from the left navigation menu. 
2. Select the Invite New User button, located at the top right to open the Invite a New User option.
   • Choose the appropriate role.
   • Enter the user’s email address and click the Submit button to send the new user an email invitation.

Modifying Existing Users

1. Navigate to Settings > Users.
2. Locate the user and select a new User Role from the dropdown menu.

AI-Powered Features & User Access

Who Can Use AI?

By default, all user roles except auditors can use AI-powered features in Trustero. This includes:

• Running Examine & Test to check policy alignment and control effectiveness
• Using GRC AI Q&A to respond to security questionnaires and retrieve compliance answers

However, Trustero Admins can now enable GRC AI Q&A for auditors users. When enabled, auditors can ask follow-up questions, access control-relevant information, and verify answers directly using the AI interface. This reduces back-and-forth and helps streamline the audit process.

Admin users can view a full audit trail of AI usage to maintain transparency and oversight across all activity.

Conclusion

Understanding and assigning the right roles ensures efficient GRC management while maintaining security and control over access. Trustero’s role-based permissions help organizations balance collaboration with oversight, ensuring seamless compliance and risk management.