Menu

How to Use Security Roles

Avatar
Katie Brennan
Updated
Follow

What are Security Roles?

Our Security Roles feature, available to Platinum and Diamond customers, allows you to define the level of access and administrative ability that you'd like specific user groups to have.

This feature helps you follow the principle of least privilege in your KnowBe4 console, ensuring that the various areas of your KnowBe4 account are only accessible to those who need them.

The article goes into depth about Security Roles. For a short overview, check out our Security Roles video.

JUMP TO:

Use Cases
How to Set Up
Managing Security Roles
Permission Descriptions
Frequently Asked Questions (FAQs)

 

Use Cases for Security Roles

Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Be sure to consider your own organizational structure and needs when creating Security Roles for your KnowBe4 console.

 

Use Case #1: Need to Add, Manage, and Delete Users

Need: To provide Human Resources or IT with the ability to add new users to your KnowBe4 console, but without the ability to create or manage phishing and training campaigns.

Solution: Create a Security Role providing Read/Write access to Users & Groups. This allows them to add, manage, and delete users and groups in your console as needed.

Example of Permissions Settings for this Use Case:

General Permissions Tab 

Use Case #2: Need to Create Phishing Templates, Landing Pages, and Training Notifications

Need: To provide creative control to a consultant or other internal employee to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.

Solution: Create a Security Role providing Read/Write access to Phishing Templates, Landing Pages, and Training Notifications.

Example of Permissions Settings for this Use Case: 

Phishing Permissions Tab
Training Permissions Tab

Use Case #3: Need to Review Employee Completion of Assigned Security Training for Compliance or Onboarding Purposes

Need: To provide Training or Compliance group with the ability to see if users are completing their annual security awareness training on time, download training-related reports, and send notifications to users and managers to ensure everyone is in compliance with organization policy.

Solution: Create a Security Role providing Read/Manage access to Training Campaigns and Read Only access to Training Reports.

Example of Permissions Settings for this Use Case: 

Training Permissions Tab

Use Case #4: Need to Review ModStore Training Content

Need: To provide Training, Compliance, or HR group with the ability to review all the available ModStore content, for the purpose of creating a training plan for the year.

Solution: Create a Security Role providing Browse access to ModStore.

Example of Permissions Settings for this Use Case: 

General Permissions Tab

Use Case #5: Manager Needs to View Employee Training Status/Completion or Phishing Test Results

Need: To provide a specific manager "John Smith" with the ability to review their employees' progress/status on training campaigns as well as phishing test results, without allowing them to view other employee data.

Solution: Place manager John Smith in a unique group, then apply a Security Role to that group that provides Read Only access to Phishing Campaigns, Phishing Reports, Users & Groups, Training Campaigns, and Training Reports for the targeted group. (Don't have a group with this manager's users in it yet? You can use Smart Groups to automatically create a group based on user information, such as manager name.)

Example of Permissions Settings for this Use Case: 

General Permissions Tab

Phishing Permissions Tab

Training Permissions Tab

Back to top

 

 

How to Set Up Security Roles

First, you'll want to make sure you have groups set up in your console, as Security Roles are applied to groups rather than users.

If you haven't created any groups yet, there are a few ways to do this. Most commonly, you'll create them manually under the Users > Groups tab or through a CSV import when importing users. See our Managing Groups article for more information.

Once you have groups set up, you can follow the steps below to create Security Role(s) for specific groups.

  1. Navigate to the Users tab within your console, then click the Security Roles tab. 


  2. Click the +New Security Role button on the top-right of your screen.


  3. Name your Security Role, then select one or more groups to assign the Role to.


  4. Click the tabs next to Role Definition (General, Phishing, Training, Vishing) to select what permissions you'd like to apply to this particular Security Role. You can select as many as you'd like. See the Permissions Descriptions section below for details on what each permission includes.

    On certain permissions, you can further limit the permissions to only include specific, "targeted groups". If you'd like to do that, after providing that permission, you can add groups to the Targeted Groups drop-down. 

    Important information about Targeted Groups:

    Campaign data will only appear if the applied Security Role has access to ALL groups targeted by the campaign. For example, if there is a Phishing Campaign targeting groups A, B, and C, but the Security Role only provides Phishing Campaign access to groups A and B, that phishing campaign will NOT appear.


    General Permissions (See Description)


    Phishing Permissions (See Description)


    Training Permissions (See Description)


    Vishing Permissions (See Description)
  5. Click the Create Security Role button when you are finished. Any users affected by the Security Roles you've defined will be able to access their designated areas instantly.

Back to top

 

Managing Security Roles

You can manage your Security roles from within the Users > Security Roles tab of your console. Here you will see a list of all the Security Roles you've created.

To edit, clone, or delete Security Roles, click the downward-facing arrow towards the right of the Role you'd like to make changes to, and select Edit, Clone, or Delete.

Editing Security Roles

Alternatively, you can click the name of any Security Role to modify it. This will take you to the Access Profile for that particular Security Role, where you can grant or remove permissions as needed.

Cloning Security Roles

Clicking Clone will duplicate the Security Role's permissions and take you to the Access Profile for the "cloned" group. The word "Clone" will be automatically added to the Security Role Name. Modify the Name, Security Role Groups, permissions settings, and Targeted Groups as necessary, then click the Create Security Role button to save your "cloned" group.

Deleting Security Roles

Clicking Delete will permanently delete that Security Role from your console. This action cannot be undone. 

Back to top

  

Permissions Descriptions

Security Roles: Granular/Delegated Permissions
General Permissions                   Account Settings No Access: No access to Account Settings area.
Read Only: Ability to view all Account Settings.
Read/Write: All of the above access, plus the ability to view and modify all Account Settings.
Users & Groups No Access: No access to Users tab.

Read Only: Access to Users tab. Ability to view user list as well as individual user profiles. Ability to view groups and group membership. Ability to view Active Directory Integration (ADI) information (if applicable).

Use Targeted Groups to further limit access to ONLY the selected group(s). Note that by targeting groups, this role will not have access to the Import Users, Active Directory, or Merge Users tabs. 

Read/Write: All of the access granted above, plus the ability to create, modify, or delete users and groups.

Use Targeted Groups to further limit access to ONLY the selected group(s). Note that by targeting groups, this role will not have access to the Import Users, Active Directory, or Merge Users tabs--you will be able to modify user information for users within your targeted group(s), but no other user management ability will be available.
ModStore No Access: No access to ModStore tab.
Browse: Access to ModStore tab. Ability to browse and preview all available ModStore content.
Purchase: All of the access granted above, plus the ability to add content to Store Purchases.
ASAP No Access: No access to ASAP tab.
Read Only: Access to ASAP tab. Ability to view task list, calendar, and reports. 
Read/Write: All of the access granted above, plus the ability to reset ASAP and modify the task list, calendar, and start date.
USB Campaigns No Access: No access to USB tab.
Read Only: Access to USB tab. Can view existing USB drive test campaigns and reports.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete USB drive test campaigns. 
AIDA Campaigns No Access: No access to AIDA tab.
Read Only: Access to AIDA tab. Can view existing AIDA campaigns and reports.
Read/Write: All of the access granted above, plus the ability to create and delete AIDA campaigns. 
Phishing Permissions  Phishing Campaigns   No Access: No access to Campaigns tab within the Phishing area.

Read Only: Access to Campaigns tab within the Phishing area. Can view existing phishing campaigns and view and download reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Read/Write: All of the access granted above, plus the ability to create, edit, hide, or delete phishing campaigns.

Use Targeted Groups to further limit access to ONLY the selected group(s). 
Phishing Email Templates No Access: No access to Email Templates tab within the Phishing area.
Read Only: Access to Email Templates tab within the Phishing area. Ability to view available phishing templates and phishing template categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete phishing templates and phishing template categories.
Phishing Landing Pages    No Access: No access to Landing Pages tab within the Phishing area.
Read Only: Access to Landing Pages tab within the Phishing area. Ability to view available landing pages and landing page categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete landing pages and landing page categories.
Phishing Reports   No Access: No access to Reports tab within the Phishing area.

Read Only: Access to Reports area within the Phishing area. Ability to create and download aggregate Phishing Reports and view Phishing campaign results.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Phishing Dashboard  Don't Show: Cannot view Phishing portion of Dashboard tab. Dashboard tab will only appear if Training Dashboard permissions are granted.
Show: Can view Phishing portion of Dashboard. Cannot click for additional data unless other Phishing permissions are provided.
Training Permissions  Training Campaigns    No Access: No access to Campaigns tab within the Training area.

Read Only: Access to Campaigns tab within the Training area. Can view existing training campaigns and view and download reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Read/Manage: All of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Full Read/Write: All of the access granted above, plus the ability to create, edit, and delete training campaigns.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Training Notification Templates No Access: No access to Notification Templates tab within the Training area.
Read Only: Access to Notification Templates tab within the Training area. Ability to view available training notifications and training notification categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete training notifications and training notification categories.
Training Store Purchases No Access: No access to Store Purchases tab within the Training area.
Read Only: Access to Store Purchases tab within the Training area. Ability to view and preview Store Purchases.
Read/Write: All of the access granted above, plus the ability to assign a course-attached (URL) policy to any training module.
Policy Management No Access: No access to Policies tab within the Training area.
Read Only: Access to Policies tab within the Training area. Ability to view and preview uploaded policies.
Read/Write: All of the access granted above, plus the ability to upload and publish new policies.
Training Reports  No Access: No access to Reports tab within the Training area.

Read Only: Access to Reports tab within the Training area. Ability to create, view, and download Training-related reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Training Dashboard   Don't Show: Cannot view Training portion of Dashboard. Dashboard tab will only appear if Phishing Dashboard permissions are granted.
Show: Can view Training portion of Dashboard. Cannot click for additional data unless other Training permissions are provided.
Vishing Permissions  Vishing Campaigns    No Access: No access to Campaigns tab within the Training area.

Read Only: Access to Campaigns tab within the Training area. Can view existing training campaigns and view and download reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Read/Write: All of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Vishing Templates No Access: No access to Templates tab within the Vishing area.
Read Only: Access to Templates tab within the Vishing area. Ability to view available vishing templates and vishing template categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete vishing templates and vishing template categories.

Back to top

 


Frequently Asked Questions (FAQs)

  1. I don't see the Security Roles tab on my console.

    If your KnowBe4 account's subscription level is Platinum or Diamond, you should see the Security Roles tab available to you after clicking on the Users tab at the top of your console. If you are a Platinum or Diamond customer and still cannot locate the Security Roles tab, you can contact Support for assistance.

    If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you. Not sure who your Customer Success Manager is? Our Support Team can assist you.

  2. If a user is in two groups, each with separate Security Roles defined, what permissions will they get?

    Permissions are additive, meaning the user will gain all the permissions you defined in the Security Roles for the groups they are a part of. Permissions will not be taken away from a user by giving them multiple Security Roles with differing permissions.

  3. Can I provide someone the ability to create Security Roles?

    Only Admins on your KnowBe4 account can create Security Roles. Admins will have access to all areas of the console. See: How to assign Admin functions

  4. Does the Security Roles feature work with Smart Groups?

    Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used carefully and for special cases. 

    You can also limit access for a Security Role by using the "Targeted Groups" feature to view/manage only specific Smart Groups. This feature will delegate the Security Role's permissions to only view/manage users who fit the specific criteria for that Smart Group. 

    When using Smart Groups and Security Roles, keep in mind that for any campaign/reports access you provide, associated campaigns must have targeted only the group(s) that the Security Role has access to or else they will not appear for that Security Role.

  5. I want to allow my Security Role to import or delete users for specific groups only. Can I do this?

    No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role for Users & Groups (which targets specific groups only) will not have the ability to import users.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles