Menu

How to Use Security Roles

Avatar
Anisi Rouleau
Updated
Follow

What are Security Roles?

Our Security Roles feature, available to Platinum and Diamond customers, allows you to set the level of administrative permission for a specific user group. This will help you follow the principle of least privilege in your KnowBe4 console, ensuring that the various areas of your KnowBe4 account are only accessible to those who need them.

For a short overview, check out our Security Roles video. For more in-depth information continue reading or jump to a specific section of this article:

How to Set Up Security Roles
Managing Security Roles
Permission Descriptions
 Security Role Use Cases
 Frequently Asked Questions (FAQs)

 

How to Set Up Security Roles

First, you'll want to make sure you have groups set up in your console, as Security Roles are applied to groups rather than users. See our Managing Groups article for more information.

Once you have groups set up, you can follow the steps below to create Security Role(s) for specific groups.

  1. Navigate to the Users tab within your console, then click the Security Roles subtab. 
  2. From the top-right of the screen, click the +New Security Role button.
  3. Set a name for this Security Role and then select one or more groups from the drop-down to assign this role to.
  4. Navigate using the tabs and select the permissions you'd like this Security Role to have. Each tab on this screen, General, Phishing, Training, Vishing, and ModStore, includes permission options for the corresponding area of your console. See the Permissions Descriptions section below for details on what each permission includes.
    • For some permissions, you can further limit them to specific Targeted Groups.

      Important:

      Campaign data will only appear if the applied Security Role has access to ALL groups targeted by the campaign. For example, if there is a Phishing Campaign targeting groups A, B, and C, but the Security Role only provides Phishing Campaign access to groups A and B, that phishing campaign will NOT appear.

  5. Once you've made all the necessary selections, click the Create Security Role button. Any users affected by the Security Roles you've defined will gain access to their designated areas instantly.

Back to top

 

Managing Security Roles

To manage your Security roles, go to the Users tab of your KnowBe4 console and select the Security Roles subtab. All of your created Security Roles are listed here.

  1. Search: Search for Security Roles by name or group.
  2. Security Role Name: Click on a Security Role name to view and edit the permissions for that role. 
  3. Groups: Lists all groups with this Security Role assigned. Click on a group name to see more details on that group.
  4. Users: This is the number of users with this Security Role assigned. 
  5. Actions: Use the drop-down menu to edit, clone, or delete.
    • Edit: View and edit the permissions for that role. 
    • Clone: Cloning a Security Role will open the New Security Role screen. The same permissions from the cloned group will already be selected for you. You can modify the Name, Security Role Groups, permissions settings, and Targeted Groups as necessary, then click the Create Security Role button to save your new group.
    • Delete: Deleting a Security Role completely removes it from your console. This action cannot be undone. 

Back to top

  

Permissions Descriptions

Click a tab below to learn more about the permissions available for that area of your console. 

Account Settings No Access: No access to the Account Settings area.
Read: Ability to view all Account Settings.
Read/Write: All of the above access, plus the ability to view and modify all Account Settings.
Users & Groups No Access: No access to the Users tab.

Read: Access to Users tab. Ability to view the user list as well as individual user profiles. Ability to view groups and group membership. Ability to view SCIM and Active Directory Integration (ADI) information (if applicable).

Use Targeted Groups to further limit access to ONLY the selected group(s). Note that by targeting groups, this role will not have access to the Import Users, Provisioning, or Merge Users tabs.

Read/Write: All of the access granted above, plus the ability to create, modify, or delete users and groups.

Use Targeted Groups to further limit access to ONLY the selected group(s). Note that by targeting groups, this role will not have access to the Import Users, Provisioning, or Merge Users tabs--you will be able to modify user information for users within your targeted group(s), but no other user management ability will be available.
ASAP No Access: No access to ASAP tab.
Read: Access to ASAP tab. Ability to view task list, calendar, and reports.
Read/Write: All of the access granted above, plus the ability to reset ASAP and modify the task list, calendar, and start date.
USB Campaigns No Access: No access to the USB tab.
Read: Access to USB tab. Can view existing USB drive test campaigns and reports.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete USB drive test campaigns.
AIDA Campaigns No Access: No access to the AIDA tab.
Read: Access to AIDA tab. Can view existing AIDA campaigns and reports.
Read/Write: All of the access granted above, plus the ability to create and delete AIDA campaigns.
Second Chance No Access: No access to the Second Chance tab.
Read: Access to the Second Chance tab. Can view users, devices, and settings.
Read/Write: All of the access granted above, plus the edit the Second Chance settings.
Advanced Reporting No Access: No access to the Advanced Reports tab.
Show: Access to Advanced Reports with the ability to create and download reports.
Phishing Campaigns   No Access: No access to the Campaigns tab within the Phishing area.

Read: Access to Campaigns tab within the Phishing area. Can view existing phishing campaigns and view and download reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Read/Write: All of the access granted above, plus the ability to create, edit, hide, or delete phishing campaigns.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Phishing Templates No Access: No access to the Email Templates tab within the Phishing area.
Read: Access to Email Templates tab within the Phishing area. Ability to view available phishing templates and phishing template categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete phishing templates and phishing template categories.
Phishing Landing Pages    No Access: No access to the Landing Pages tab within the Phishing area.
Read: Access to Landing Pages tab within the Phishing area. Ability to view available landing pages and landing page categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete landing pages and landing page categories.
Phishing Reports   No Access: No access to the Reports tab within the Phishing area.

Show: Access to Reports area within the Phishing area. Ability to create and download aggregate Phishing Reports and view Phishing campaign results.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Phishing Dashboard  No Access: Cannot view the Phishing portion of the Dashboard tab. Dashboard tab will only appear if Phishing Dashboard permissions are granted.
Show: Can view the Phishing portion of the Dashboard. Cannot click for additional data unless other Phishing permissions are provided.
Training Campaigns    No Access: No access to Campaigns tab within the Training area.

Read: Access to Campaigns tab within the Training area. Can view existing training campaigns and view and download reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Read/Manage: All of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Full Read/Write: All of the access granted above, plus the ability to create, edit, and delete training campaigns.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Training Notification Templates No Access: No access to the Notification Templates tab within the Training area.
Read: Access to Notification Templates tab within the Training area. Ability to view available training notifications and training notification categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete training notifications and training notification categories.
Policy Management No Access: No access to the Policies tab within the Training area.
Read: Access to Policies tab within the Training area. Ability to view and preview uploaded policies.
Read/Write: All of the access granted above, plus the ability to upload and publish new policies.
Training Reports  No Access: No access to the Reports tab within the Training area.

Show: Access to Reports tab within the Training area. Ability to create, view, and download Training-related reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Training Dashboard No Access: Cannot view the Training portion of the Dashboard. Dashboard tab will only appear if Training Dashboard permissions are granted.
Show: Can view the Training portion of the Dashboard. Cannot click for additional data unless other Training permissions are provided.
Vishing Campaigns    No Access: No access to the Campaigns tab within the Training area.

Read: Access to Campaigns tab within the Training area. Can view existing training campaigns and view and download reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).

Read/Write: All of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports.

Use Targeted Groups to further limit access to ONLY the selected group(s).
Vishing Templates No Access: No access to Templates tab within the Vishing area.
Read: Access to the Templates tab within the Vishing area. Ability to view available vishing templates and vishing template categories.
Read/Write: All of the access granted above, plus the ability to create, edit, and delete vishing templates and vishing template categories.
ModStore No Access: No access to the ModStore Browse tab.
Read: Access to ModStore tab. Ability to browse and preview all available ModStore content.
Read/Write: All of the access granted above, plus the ability to add content to the Library.
Library No Access: No access to the Library tab within the ModStore.
Read: Access to the Library tab within the ModStore. Ability to view and preview items in the Library.
Read/Write: All of the access granted above, plus the ability to download items from the Library.
Uploaded Content No Access: No access to the Uploaded Content tab within the ModStore.

Read: Access to the Uploaded Content tab within the ModStore. Ability to view and preview uploaded content.
Read/Write: All of the access granted above, plus the ability to upload and publish custom content.
Brandable Content No Access: No access to the Brandable Content tab within the ModStore.

Read: Access to the Brandable Content tab within the ModStore. Ability to view applied Branded Themes.
Read/Write: All of the access granted above, plus the ability to create and apply Branded Themes.

Back to top

 

Security Role Use Cases

Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Click on Use Case title for more information.
Be sure to consider your own organizational structure and needs when creating Security Roles for your KnowBe4 console. 

Use Case 1: Permission to Add, Manage, and Delete Users

Example: Provide the Human Resources group with the ability to add new users to the KnowBe4 console, but without the ability to create or manage phishing and training campaigns.

Permissions: From the General subtab, select Read/Write for Users & Groups. 

 

Use Case 2: Permission to Create Phishing Templates, Landing Pages, and Training Notifications

Example: Provide the Consultant group access to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.

Permissions: From the Phishing subtab, select Read/Write for Phishing Templates and Phishing Landing Pages. 

From the Training subtab, select Read/Write for Training Notification Templates. 

Use Case 3: Permission to Review Employee Training Completion

Example: Provide the Compliance Managers group with the ability to see if users are completing training on time, download training-related reports, and send notifications to users and managers. 

Permissions: From the Training subtab, select Read/Manage for Training Campaigns and select Show for Training Reports.

Use Case 4: Permission to View Training Content

Example: Provide the Training Managers group with the ability to view all available content in the ModStore, for the purpose of creating a training plan.

Permissions: From the ModStore subtab, select Read for ModStore.

Use Case 5: Permission to View Employee Training Status and Phishing Test Results

Example: Provide a specific manager with the ability to view their employees' training statuses and phishing test results, without the ability to view other employee data. 

To assign a specific Security Role to this manager, we must first place the manager in a unique user group. We will also need a group made up of her users. We recommend creating a Smart Group based on the manager's name in the user's profile. See our How to Use Smart Groups article for more information. 

Permissions: From the General subtab, select Read for Users & Groups. Then, select the corresponding group from the Targeted Group drop-down.

From the Phishing subtab, select Read for Phishing Campaigns and Show for Phishing Reports. Then, select the corresponding group from the Targeted Group drop-down.

From the Training subtab, select Read for Training Campaigns and Show for Training Reports. Then, select the corresponding group from the Targeted Group drop-down.

 

Back to top


Frequently Asked Questions (FAQs)

Q: I don't see the Security Roles tab on my console.

  • A: If your KnowBe4 account's subscription level is Platinum or Diamond, you should see the Security Roles tab available to you after clicking on the Users tab at the top of your console.

    If you are a Platinum or Diamond customer and still cannot locate the Security Roles tab, you can contact Support for assistance. If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you.

 

Q: If a user is in two groups, each with separate Security Roles defined, what permissions will they get?

  • A: Permissions are additive, meaning the user will gain all the permissions you defined in the Security Roles for the groups they are a part of.
    Permissions will not be taken away from a user by giving them multiple Security Roles with differing permissions.

 

Q: Can I provide someone the ability to create Security Roles?

  • A: Only Admins on your KnowBe4 account can create Security Roles. Admins will have access to all areas of the console. See: How to assign Admin functions

 

Q: Does the Security Roles feature work with Smart Groups?

  • A: Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used for special cases. When using Smart Groups and Security Roles, keep in mind that for any campaign/reports access you provide, associated campaigns must have targeted only the group(s) that the Security Role has access to or else they will not appear for that Security Role.

    You can also limit access for a Security Role by using the Targeted Groups feature to view/manage specific Smart Groups.

 

Q: I want to allow my Security Role to import or delete users for specific groups only. Can I do this?

  • A: No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role for Users & Groups (which targets specific groups only) will not have the ability to import users.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles