Docs

Appearance

User Management

Modulos uses role-based access control at two levels: organization and project. This keeps organization administration centralized while allowing project teams to execute governance work with clear separation of duties.

What this is

User management covers:

  • who can access the platform
  • what they can do at the organization level
  • what they can do inside each project

Most user management actions are managed by organization admins, but viewable by regular members.

Where in Modulos

  • Organization → Users to view members, invites, and organization roles
  • Organization → Users → Roles to view the standard project roles and the rights they grant
  • Project → Settings → User access to assign project roles for a specific project

Who can do what

Permissions

  • Organization Admins invite users, deactivate users, and manage organization roles.
  • Organization Members can typically view users and roles, but cannot change access.
  • Organization Risk Managers focus on maintaining the organization’s risk quantification structure. They typically do not manage user access unless they are also an organization admin.
  • Project Owners manage project-level access and day-to-day governance execution within a project.

How it works

Organization roles

Organization roles apply across the organization:

  • Organization Admin: full administrative access to manage users and organization-wide configuration.
  • Organization Member: baseline access, typically with read access to organization-level configuration.
  • Organization Risk Manager: maintain the organization’s risk quantification library and budgets, and support teams running quantification in projects.

Organization Admin is a high-trust role

Organization admins can view and edit the organization’s configuration and access model (users, settings, shared libraries). Treat this role as equivalent to “can administer the organization” and grant it sparingly.

Organization roles usually do not automatically grant access to every project. Organization admins are the exception and typically have organization-wide project access. For non-admins, project access is governed separately, and project owners assign project roles per project.

Project roles

Project roles apply inside one project:

  • Owner: configure the project, assign project roles, and run workflows end-to-end.
  • Editor: implement controls, attach evidence, and update work items.
  • Reviewer: approve or reject review requests for status changes and review gates.
  • Auditor: read-only access focused on traceability and evidence.

This separation supports audit readiness by keeping implementers and reviewers distinct where possible.

Role model today

Roles are currently hardcoded to a standard set. Modulos will expand this to more customizable RBAC over time.

How to use it

1

Invite users

Organization admins add users and manage invites

2

Assign org roles

Grant admin and risk manager responsibilities where needed

3

Assign project roles

Project owners grant owner, editor, reviewer, and auditor access per project

4

Enforce separation

Keep implementers and reviewers distinct for audit readiness

5

Deactivate leavers

Remove access when roles change or people leave

Important considerations

  • Deactivating a user removes platform access and invalidates any API tokens they created.
  • Users cannot deactivate themselves; another admin must perform the action.
  • Organization admins typically have organization-wide project access. Use project roles to grant minimum access to non-admins and to keep separation of duties explicit.
  • If you don’t see Organization → Users, ask an organization admin to confirm access.
Organization Overview

How organization roles relate to projects and shared libraries

Organization Settings

Currency and language defaults that affect governance and reporting

Reviews and Statuses

How reviewers approve changes and create audit-ready traceability

Operating Model

How risk governance work is split between organization and projects