By default, only users with Access KPIs and Manage KPIs permission set have access to and are able to modify KPIs. These can be system roles or custom ones, created by you. The following system roles have those permissions: user, admin and data.
KPIs also have an Owner that by default is the KPI Creator. It can be changed when creating or editing the KPI. Owner can be a user and/ or a team. There can be more than one owners. Ownership permission is always prevailing and giving full control over the KPI, regardless of any Granular permissions.
KPIs also have granular permissions module. Here's how to manage it:
Navigate to the KPIs
Select a KPI or Create one
Go to Permissions drop-down and select Custom
Assign who (employees, teams, roles, account) can have what permissions
Keep in mind that Access KPIs global permission is required for a user to be able to Read a KPI, while Manage KPIs is required for a user to be able to take advantage of the granular Update, Delete and Modify permissions
KPI permissions can be granted on 4 different levels - employees, teams, roles, account.