Whistic's user controls are highly configurable to allow for maximum information segmentation and containment. That said, these controls should be reviewed carefully in order to accomplish your specific goals. Also, certain roles are only available with specific company plans and features (For example: Read-Only Vendor Catalog). If you have any questions, please contact your Customer Success Manager.

Additionally, since Whistic allows users to both conduct and proactively share their security posture, some controls have duplicate purposes. 

The privileges are outlined below in two groups - Primary & Secondary. The Secondary is typically used to augment the Primary or as stand-alone for limited access. This guide will also provide some typical use cases, though it is not comprehensive.

Finally, in order to set up user provisioning through your IdP, you will also need the SSO Attribute Value, listed under each privilege below. By creating groups or roles in your IDP and using this Attribute Value, each user can be automatically provisioned for access to a certain permission.

Here is a snapshot of privileges for Vendor Risk Management.

Here is a snapshot of privileges for Security Profile.

Primary Privileges

Admin - All Privileges

Gives access to view and edit all Whistic content. This is also referred to as a Manager in the platform. However, unmanaged users do not have access to company data.

Use Cases:

  • A company’s Whistic Administrator

  • Will have access to view and edit all Whistic content

Features Enabled:

  • Everything in Admin Tools, including: User Management, Program Automation, Custom Intake Form, Secure Upload, Document Repository, Company Settings

Menu Pages Enabled:

  • All pages

SSO Attribute Value: WhisticAdmin

Request Questionnaires

Allows users to request questionnaires from vendors.

Use Cases:

  • Typically combined with the Review Vendor Assessment role to allow a Security Analyst to request and conduct assessments

Features Enabled:

  • View vendor details from the Vendor Catalog

  • Request, reassign, & cancel questionnaires

  • Set up Program Automation

  • No access to Document Repository

Menu Pages Enables:

  • Dashboard

  • Questionnaires - no access to start or view completed questionnaires

  • Vendor Catalog

  • Trust Catalog

SSO Attribute Value: WhisticRequestQuestionnaires

Send Self-Assessment / Security Profile

Ability to share the Security Profile and completed questionnaires.

Use Cases:

  • Allow your Sales or Security Teams to share your Security Profile

  • Enable separate privilege to allow a recipient to bypass NDA (Override Non-Disclosure Agreement)

  • Enable separate privilege to allow users to view questionnaire level information (Read-Only Self-Assessment / Security Profile)

Features Enabled:

  • Share your company Security Profile

  • Share completed questionnaires individually

  • Not able to view/download questionnaires

  • User can view a list of Profiles they have shared, but not if shared by another user

Menu Pages Enabled:

  • Dashboard

  • Questionnaires

  • Customer Catalog

  • Security Profile

SSO Attribute Value: WhisticSendSelfAssessment

Answer Self-Assessment / Edit Security Profile

Allows access to edit, copy, and create new Profiles.

Use Cases:

  • Allow your Security Team to edit your Security Profile, but not share it

Features Enabled:

  • Allows access to edit, copy, and create new Profiles

  • Upload to the Document Repository

  • Place NDA requirements

  • Complete questionnaires

  • Download documents

Menu Pages Enabled:

  • Dashboard

  • Questionnaires

  • Security Profile

SSO Attribute Value: WhisticAnswerSelfAssessment

Read Self-Assessment / Security Profile

View the content of your Security Profile, Self-Assessments, and any supporting documentation.

Use Cases:

  • Allow internal teams to access specific documents

  • Can not be used with Answer Self-Assessment / Edit Security Profile

Features Enabled:

  • View your company’s Security Profile contents

  • View (but not edit) your company’s Profile questionnaires

  • View (but not download) your company’s supporting documents

  • Export questionnaires

  • Preview Profile

  • Not able to share your Profile

Menu Pages Enabled:

  • Dashboard (no data available)

  • Questionnaires

  • Security Profile

SSO Attribute Value: WhisticReadSelfAssessment

View Vendor Assessments

Allows users to view basic details from Vendor Profile, completed questionnaires, reviewer comments, and the CrowdConfidence Score.

Use Cases:

  • Allow Compliance teams to verify assessments are conducted without allowing access to actually conduct the vendor assessment

  • Typically enabled along with Review Vendor Assessments

Features Enabled:

  • View basic details from Vendor Profile

  • View and download from Vendor Document Repository

  • View completed questionnaires from Assessment Activity

  • Access Reviewer comments

  • View CrowdConfidence Score

Menu Pages Enabled:

  • Dashboard

  • Vendor Catalog

SSO Attribute Value: WhisticViewVendorAssessment

Secondary Privileges

Access Score Builder

Allows a user to customize the level of importance each question has in a given questionnaire. This user has access to create and edit the weight each question has on the CrowdConfidence Score.

Use Cases: 

  • Typically given alongside Answer Self-Assessment / Edit Security Profile

Features Enabled:

  • Allows a user to build the scoring criteria on questionnaires

Menu Pages Enabled:

  • Dashboard - No information available

  • Questionnaires

SSO Attribute Value: WhisticScoreBuilder

Review Vendor Assessments

Permission to conduct a review of the vendor questionnaire and issue a Vendor Assessment Status.

Use Cases:

  • Conduct a review of the vendor questionnaire and issue assessment results (ie. Approved, In Progress, etc)

Features Enabled:

  • NOTE: Must be paired with View Vendor Assessments

  • A reviewer can send Clarification Questions to Vendor

  • Determine Vendor Assessment Status

  • Create ‘Review Wrap Up’ report

  • Export Review Summary as PDF

Menu Pages Enabled:

  • Dashboard

  • Vendor Catalog

SSO Attribute Value: WhisticReviewVendorAssessment

Add Vendors

Allows access to add a vendor via the Vendor Intake Form.

Use Cases:

  • Only allows access to the Vendor Intake Form

  • NOTE: Anyone can add a new vendor with or without this permission via the External Request Form link (found under Admin Tools > Program Automation)

Features Enabled:

  • Vendor Intake Form

Menu Pages Enabled:

  • N/A

SSO Attribute Value: WhisticAddVendors

Edit Vendors

Allows access to edit most vendor details, including the Assessment Status.

Use Cases:

  • Manually update/edit vendor details such as Criticality or Business Unit

  • Change Assessment Status without needing to conduct a questionnaire review

  • Typically enabled alongside View & Review Vendor Assessment privileges

Features Enabled:

  • Edit Vendor profile details

  • Merge Vendors

Menu Pages Enabled:

  • Dashboard

  • Vendor Catalog

SSO Value Attribute: WhisticEditVendors

Run Reports

Allows users to create and run customized reports. It is best practice to consider the scope of data this user would have access to prior to enabling this privilege.

Use Cases:

  • Typically reserved for senior roles due to scope of data accessible

  • Allows users to access data without being able to make changes

Features Enabled:

  • The complete reporting suite

  • Building and exporting reports

  • Not able to view questionnaire level information (ie. vendor answers to questions)

Menu Pages Enabled:

  • Dashboard (no data available)

  • Reporting

SSO Attribute Value: WhisticRunReports

Override Non-Disclosure Agreement

User can allow Profile recipient to bypass NDA. This is not a stand-alone feature, it must be combined with another privilege.

Use Cases:

  • NOTE: Not a stand-alone feature, must be combined with another privilege

  • Typically combined with Send Self-Assessments

Features Enabled:

  • User can allow Profile recipient to bypass NDA

  • When combined with Send Self-Assessments, user can view a complete list of Profile shares

SSO Attribute Value: WhisticOverrideNDA

View Documents

This feature only allows access to download documents from your Security Profile.

Use Cases:

  • Download documents from security profile

Features Enabled:

  • N/A

Menu Pages Enabled:

  • N/A

SSO Attribute Value: WhisticViewDocuments

Read-Only Vendor Catalog

Allows users to view the Vendor catalog. The information displayed in the columns is visible, however, Admins can determine and customize the data displayed in those columns. The vendor record, documents, and details are not accessible with this permission.

Use Cases Include:

  • General company-wide access to view list of approved vendors

  • Allow users outside the security team to view the assessment status of a vendor they requested.

Features Enabled:

  • The information displayed in the columns is visible. Admins determine the data displayed in the columns. 

Menu Pages Enabled

  • Vendor Catalog list. The vendor’s Profile page, documents, and other details are not accessible. 

SSO Attribute Value: WhisticReadVendorCatalog

Did this answer your question?