What Are Security Roles?
Our Security Roles feature, available to Platinum and Diamond customers, allows you to set the level of administrative permission for a specific user group. This will help you follow the principle of least privilege in your KnowBe4 console, ensuring that the various areas of your KnowBe4 account are only accessible to those who need them.
For a short overview, check out our How to Use Security Roles video. For more in-depth information, continue reading or click the links below jump to a specific section of this article.
Jump to:
How to Set Up Security Roles
Managing Security Roles
Permission Descriptions
Security Role Use Cases
Frequently Asked Questions (FAQs)
How to Set Up Security Roles
First, you'll want to make sure you have groups set up in your console, as Security Roles are applied to groups rather than users. See our Managing Groups article for more information.
Once you have groups set up, you can follow the steps below to create Security Role(s) for specific groups.
- Navigate to the Users tab within your console, then click the Security Roles subtab.
- From the top-right of the screen, click the +New Security Role button.
- Set a name for this Security Role and then select one or more groups from the drop-down to assign this role to.
- Navigate using the tabs and select the permissions you'd like this Security Role to have. Each tab on this screen, General, Phishing, Training, and ModStore, includes permission options for the corresponding area of your console. See the Permissions Descriptions section below for details on what each permission includes.
- For some permissions, you can further limit them to specific Targeted Groups.
Important:
Campaign data will only appear if the applied Security Role has access to ALL groups targeted by the campaign. For example, if there is a Phishing Campaign targeting groups A, B, and C, but the Security Role only provides Phishing Campaign access to groups A and B, that phishing campaign will NOT appear.
- For some permissions, you can further limit them to specific Targeted Groups.
- Once you've made all the necessary selections, click the Create Security Role button. Any users affected by the Security Roles you've defined will gain access to their designated areas instantly.
Managing Security Roles
To manage your Security roles, go to the Users tab of your KnowBe4 console and select the Security Roles subtab. All of your created Security Roles are listed here.
- Search: Search for Security Roles by name or group.
- Security Role Name: Click on a Security Role name to view and edit the permissions for that role.
- Groups: Lists all groups with this Security Role assigned. Click on a group name to see more details on that group.
- Users: This is the number of users with this Security Role assigned.
- Actions: Use the drop-down menu to edit, clone, or delete.
- Edit: View and edit the permissions for that role.
- Clone: Cloning a Security Role will open the New Security Role screen. The same permissions from the cloned group will already be selected for you. You can modify the Name, Security Role Groups, permissions settings, and Targeted Groups as necessary, then click the Create Security Role button to save your new group.
- Delete: Deleting a Security Role completely removes it from your console. This action cannot be undone.
Permissions Descriptions
Click a tab below to learn more about the permissions available for that area of your console.
Account Settings | No Access: No access to the Account Settings area. |
Read: Ability to view all Account Settings. | |
Read/Write: All of the above access, plus the ability to view and modify all Account Settings. | |
Users & Groups | No Access: No access to the Users tab. |
Read: Access to Users tab. Ability to view the user list as well as individual user profiles. Ability to view groups and group membership. Ability to view user provisioning information (if applicable). Use Targeted Groups to further limit access to ONLY the selected group(s). Note that by targeting groups, this role will not have access to the Import Users, Provisioning, or Merge Users tabs. |
|
Read/Write: All of the access granted above, plus the ability to create, modify, or delete users and groups. |
|
ASAP | No Access: No access to ASAP tab. |
Read: Access to ASAP tab. Ability to view task list, calendar, and reports. | |
Read/Write: All of the access granted above, plus the ability to reset ASAP and modify the task list, calendar, and start date. | |
USB Campaigns | No Access: No access to the USB tab. |
Read: Access to USB tab. Can view existing USB drive test campaigns and reports. | |
Read/Write: All of the access granted above, plus the ability to create, edit, and delete USB drive test campaigns. | |
AIDA Campaigns | No Access: No access to the AIDA tab. |
Read: Access to AIDA tab. Can view existing AIDA campaigns and reports. | |
Read/Write: All of the access granted above, plus the ability to create and delete AIDA campaigns. | |
Second Chance | No Access: No access to the Second Chance tab. |
Read: Access to the Second Chance tab. Can view users, devices, and settings. | |
Read/Write: All of the access granted above, plus the edit the Second Chance settings. | |
Reporting | No Access: No access to the Reports tab. |
Show: Access to Reports with the ability to create and download reports. |
Phishing Campaigns | No Access: No access to the Campaigns tab within the Phishing area. |
Read: Access to Campaigns tab within the Phishing area. Can view existing phishing campaigns and view and download reports. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Read/Write: All of the access granted above, plus the ability to create, edit, hide, or delete phishing campaigns. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Phishing Templates | No Access: No access to the Email Templates tab within the Phishing area. |
Read: Access to Email Templates tab within the Phishing area. Ability to view available phishing templates and phishing template categories. | |
Read/Write: All of the access granted above, plus the ability to create, edit, and delete phishing templates and phishing template categories. | |
Phishing Landing Pages | No Access: No access to the Landing Pages tab within the Phishing area. |
Read: Access to Landing Pages tab within the Phishing area. Ability to view available landing pages and landing page categories. | |
Read/Write: All of the access granted above, plus the ability to create, edit, and delete landing pages and landing page categories. | |
Phishing Reports | No Access: No access to the Reports tab within the Phishing area. |
Show: Access to Reports area within the Phishing area. Ability to create and download aggregate Phishing Reports and view Phishing campaign results. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Phishing Dashboard | No Access: Cannot view the Phishing portion of the Dashboard tab. Dashboard tab will only appear if Phishing Dashboard permissions are granted. |
Show: Can view the Phishing portion of the Dashboard. Cannot click for additional data unless other Phishing permissions are provided. |
Dashboard & Reports | No Access: No access to the Dashboard and Reports tabs within the SecurityCoach area. |
Show: Access to the Dashboard and Reports tabs within the SecurityCoach area. | |
Real-Time Coaching & SecurityTips
|
No Access: No access to the Real-Time Coaching and SecurityTip tabs within the SecurityCoach area. |
Read: Access to the Real-Time Coaching and SecurityTip tabs within the SecurityCoach area. Can view existing real-time coaching campaigns on the Real-Time Coaching tab and content on the SecurityTips tab. |
|
Read/Write: All of the access granted above, plus the ability to create, edit, or delete real-time coaching campaigns. | |
Detection Rules | No Access: No access to the Detection Rules tab within the SecurityCoach area. |
Read: Access to view existing detection rules on the Detection Rules tab within the SecurityCoach area. | |
Read/Write: All of the access granted above, plus the ability to create and edit detection rules. | |
Setup | No Access: No access to the Setup tab within the SecurityCoach area. |
Read/Write: Access to the Setup tab within the SecurityCoach area. Can view and edit the configuration settings for SecurityCoach. |
Training Campaigns | No Access: No access to Campaigns tab within the Training area. |
Read: Access to Campaigns tab within the Training area. Can view existing training campaigns and view and download reports. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Read/Manage: All of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Full Read/Write: All of the access granted above, plus the ability to create, edit, and delete training campaigns. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Training Notification Templates | No Access: No access to the Notification Templates tab within the Training area. |
Read: Access to Notification Templates tab within the Training area. Ability to view available training notifications and training notification categories. | |
Read/Write: All of the access granted above, plus the ability to create, edit, and delete training notifications and training notification categories. | |
Policy Management | No Access: No access to the Policies tab within the Training area. |
Read: Access to Policies tab within the Training area. Ability to view and preview uploaded policies. | |
Read/Write: All of the access granted above, plus the ability to upload and publish new policies. | |
Training Reports | No Access: No access to the Reports tab within the Training area. |
Show: Access to Reports tab within the Training area. Ability to create, view, and download Training-related reports. Use Targeted Groups to further limit access to ONLY the selected group(s). |
|
Training Dashboard | No Access: Cannot view the Training portion of the Dashboard. Dashboard tab will only appear if Training Dashboard permissions are granted. |
Show: Can view the Training portion of the Dashboard. Cannot click for additional data unless other Training permissions are provided. |
ModStore | No Access: No access to the ModStore Browse tab. |
Read: Access to ModStore tab. Ability to browse and preview all available ModStore content. | |
Read/Write: All of the access granted above, plus the ability to add content to the Library. | |
Library | No Access: No access to the Library tab within the ModStore. |
Read: Access to the Library tab within the ModStore. Ability to view and preview items in the Library. | |
Read/Write: All of the access granted above, plus the ability to download items from the Library. | |
Uploaded Content | No Access: No access to the Uploaded Content tab within the ModStore. |
Read: Access to the Uploaded Content tab within the ModStore. Ability to view and preview uploaded content. |
|
Read/Write: All of the access granted above, plus the ability to upload and publish custom content. | |
Brandable Content | No Access: No access to the Brandable Content tab within the ModStore. |
Read: Access to the Brandable Content tab within the ModStore. Ability to view applied Branded Themes. |
|
Read/Write: All of the access granted above, plus the ability to create and apply Branded Themes. |
Reporting | No Access: No access to Reports tab. |
Read: Access to the Reports tab. Ability to view Saved Reports. |
|
Read/Write: All of the access granted above, plus the ability to create Saved Reports. | |
Send Reports | No Access: No access to Sent and Scheduled Reports. |
Read/Write: Abilty to Send and Scheduled Reports. |
Security Role Use Cases
Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Click on Use Case title for more information.
Be sure to consider your own organizational structure and needs when creating Security Roles for your KnowBe4 console.
Example: Provide the Human Resources group with the ability to add new users to the KnowBe4 console, but without the ability to create or manage phishing and training campaigns.
Permissions: From the General subtab, select Read/Write for Users & Groups.
Example: Provide the Consultant group access to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.
Permissions: From the Phishing subtab, select Read/Write for Phishing Templates and Phishing Landing Pages.
From the Training subtab, select Read/Write for Training Notification Templates.
Example: Provide the Compliance Managers group with the ability to see if users are completing training on time, download training-related reports, and send notifications to users and managers.
Permissions: From the Training subtab, select Read/Manage for Training Campaigns and select Show for Training Reports.
Example: Provide the Training Managers group with the ability to view all available content in the ModStore, add it to your account's Library, and view the content in your Library.
Permissions: From the ModStore subtab, select Read/Write for ModStore and Read for Library.
Example: Provide a manager with the ability to view the training statuses and phishing test results of a specific user group. The manager will not be able to view any campaign that the group is not enrolled in, any campaign that also has other groups enrolled in it, or any sensitive user information.
To assign a specific Security Role to this manager, we must first place the manager in a unique user group. We will also need a group made up of her users. We recommend creating a Smart Group based on the manager's name in the user's profile. See our How to Use Smart Groups article for more information.
Permissions: From the General subtab, select Read for Users & Groups. Then, select the corresponding group from the Targeted Group drop-down.
From the Phishing subtab, select Read for Phishing Campaigns and Show for Phishing Reports. Then, select the corresponding group from the Targeted Group drop-down.
From the Training subtab, select Read for Training Campaigns and Show for Training Reports. Then, select the corresponding group from the Targeted Group drop-down.
Frequently Asked Questions (FAQs)
Q: I don't see the Security Roles tab on my console.
- A: If your KnowBe4 account's subscription level is Platinum or Diamond, you should see the Security Roles tab available to you after clicking on the Users tab at the top of your console.
If you are a Platinum or Diamond customer and still cannot locate the Security Roles tab, you can contact Support for assistance. If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you.
Q: If a user is in two groups, each with separate Security Roles defined, what permissions will they get?
- A: Permissions are additive, meaning the user will gain all the permissions you defined in the Security Roles for the groups they are a part of.
Permissions will not be taken away from a user by giving them multiple Security Roles with differing permissions.
Q: Can I provide someone the ability to create Security Roles?
- A: Only Admins on your KnowBe4 account can create Security Roles. Admins will have access to all areas of the console. See: How to assign Admin functions
Q: Does the Security Roles feature work with Smart Groups?
- A: Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used for special cases. When using Smart Groups and Security Roles, keep in mind that for any campaign/reports access you provide, associated campaigns must have targeted only the group(s) that the Security Role has access to or else they will not appear for that Security Role.
You can also limit access for a Security Role by using the Targeted Groups feature to view/manage specific Smart Groups.
Q: I want to allow my Security Role to import or delete users for specific groups only. Can I do this?
- A: No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role for Users & Groups (which targets specific groups only) will not have the ability to import users.
Comments
0 comments
Article is closed for comments.