LowerPlane uses role-based access control (RBAC) to manage what each team member can see and do within your organization. Properly configured roles ensure that the right people have the right access — a fundamental compliance requirement across all frameworks.
Roles
LowerPlane provides five predefined roles:
| Role | Description | Typical Users |
|---|
| Owner | Full access to all features, settings, and billing. Can manage other owners. | Company founder, CTO |
| Admin | Full access to all features and settings. Cannot manage billing or transfer ownership. | Compliance managers, security leads |
| Member | Can view and edit compliance data, run tests, manage evidence, and work with controls. Cannot modify settings or manage users. | Compliance analysts, security engineers |
| Read-Only | Can view all compliance data but cannot make any changes. | Stakeholders, executives |
| Auditor | Limited read-only access scoped to audit-relevant data: controls, evidence, policies, and test results. | External auditors |
Role Permissions Matrix
| Permission | Owner | Admin | Member | Read-Only | Auditor |
|---|
| View compliance data | Yes | Yes | Yes | Yes | Yes |
| Edit controls and evidence | Yes | Yes | Yes | No | No |
| Manage integrations | Yes | Yes | Yes | No | No |
| Create/edit policies | Yes | Yes | Yes | No | No |
| Run tests | Yes | Yes | Yes | No | No |
| Manage users | Yes | Yes | No | No | No |
| Modify organization settings | Yes | Yes | No | No | No |
| Manage billing | Yes | No | No | No | No |
| Transfer ownership | Yes | No | No | No | No |
| View settings and user list | Yes | Yes | Yes | Yes | No |
The Auditor role is specifically designed for external auditors who need to verify your compliance posture. It provides sufficient access for audit purposes without exposing operational settings or user management.
Inviting Users
Navigate to Settings > Users
Open the user management page from the Settings menu.
Click Invite User
Click the Invite User button to open the invitation form.
Enter the user's email
Provide the email address of the person you want to invite.
Select a role
Choose the appropriate role for the new user based on their responsibilities.
Send the invitation
Click Send Invite. The user receives an email with a link to create their account and join your organization.
Follow the principle of least privilege: assign the minimum role necessary for each person’s responsibilities. You can always upgrade a role later if needed.
Managing Existing Users
Changing a User’s Role
- Go to Settings > Users and find the user in the list.
- Click on the user or the role dropdown.
- Select the new role.
- Confirm the change.
Removing a User
- Go to Settings > Users and find the user.
- Click Remove or the delete action.
- Confirm the removal. The user immediately loses access to your organization.
Removing a user does not delete their contributions (evidence uploads, policy edits, test completions). These records are preserved for audit trail integrity. The user’s name remains in activity logs.
Viewing 2FA Status
The user list displays each team member’s two-factor authentication (2FA) status:
- Enabled — The user has configured 2FA on their account
- Not Enabled — The user has not yet set up 2FA
This visibility helps you enforce your organization’s MFA policy. See MFA Settings for organization-wide enforcement options.
User Management as Compliance Evidence
Proper user management directly satisfies compliance controls:
| Framework | Controls |
|---|
| ISO 27001 | A.9.2.1 (User registration), A.9.2.2 (Access provisioning), A.9.2.6 (Removal of access rights) |
| SOC 2 | CC6.1 (Logical access security), CC6.2 (Access provisioning and removal) |
| HIPAA | 164.308(a)(3) (Workforce security), 164.308(a)(4) (Access management) |
| GDPR | Article 32 (Security of processing) |
| PCI-DSS | Req 7 (Restrict access by need to know), Req 8 (Identify and authenticate access) |
- When users were invited and when they accepted
- Role assignments and changes
- User removals and the reason (if provided)
- Last login timestamps
Best Practices
- Review user access quarterly. Remove users who no longer need access and verify that roles still match responsibilities.
- Use the Auditor role for external auditors. Never give auditors Admin or Member access.
- Require 2FA for all users. Enable organization-wide MFA enforcement to meet authentication controls.
- Limit the number of Owners and Admins. Keep privileged roles to the minimum necessary.
- Document role assignments. Use notes or an external record to explain why each person has their assigned role. Auditors may ask.
