What are Security Roles?
Our Security Roles feature, available to Platinum and Diamond customers, allows you to define the level of access and administrative ability that you'd like specific user groups to have.
This feature helps you follow the principle of least privilege in your KnowBe4 console, ensuring that the various areas of your KnowBe4 account are only accessible to those who need them.
The article goes into depth about Security Roles. For a short overview, check out our Security Roles video.
JUMP TO:
Use Cases
How to Set Up
Managing Security Roles
Permission Descriptions
Frequently Asked Questions (FAQs)
Use Cases for Security Roles
Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Be sure to consider your own organizational structure and needs when creating Security Roles for your KnowBe4 console.
Use Case #1: Need to Add, Manage, and Delete Users
Need: To provide Human Resources or IT with the ability to add new users to your KnowBe4 console, but without the ability to create or manage phishing and training campaigns.
Solution: Create a Security Role providing Read/Write access to Users & Groups. This allows them to add, manage, and delete users and groups in your console as needed.
Example of Permissions Settings for this Use Case:
General Permissions Tab
Use Case #2: Need to Create Phishing Templates, Landing Pages, and Training Notifications
Need: To provide creative control to a consultant or other internal employee to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.
Solution: Create a Security Role providing Read/Write access to Phishing Templates, Landing Pages, and Training Notifications.
Example of Permissions Settings for this Use Case:
Phishing Permissions Tab
Training Permissions Tab
Use Case #3: Need to Review Employee Completion of Assigned Security Training for Compliance or Onboarding Purposes
Need: To provide Training or Compliance group with the ability to see if users are completing their annual security awareness training on time, download training-related reports, and send notifications to users and managers to ensure everyone is in compliance with organization policy.
Solution: Create a Security Role providing Read/Manage access to Training Campaigns and Read Only access to Training Reports.
Example of Permissions Settings for this Use Case:
Training Permissions Tab
Use Case #4: Need to Review ModStore Training Content
Need: To provide Training, Compliance, or HR group with the ability to review all the available ModStore content, for the purpose of creating a training plan for the year.
Solution: Create a Security Role providing Browse access to ModStore.
Example of Permissions Settings for this Use Case:
General Permissions Tab
Use Case #5: Manager Needs to View Employee Training Status/Completion or Phishing Test Results
Need: To provide a specific manager "John Smith" with the ability to review their employees' progress/status on training campaigns as well as phishing test results, without allowing them to view other employee data.
Solution: Place manager John Smith in a unique group, then apply a Security Role to that group that provides Read Only access to Phishing Campaigns, Phishing Reports, Users & Groups, Training Campaigns, and Training Reports for the targeted group. (Don't have a group with this manager's users in it yet? You can use Smart Groups to automatically create a group based on user information, such as manager name.)
Example of Permissions Settings for this Use Case:
General Permissions Tab
Phishing Permissions Tab
Training Permissions Tab
How to Set Up Security Roles
First, you'll want to make sure you have groups set up in your console, as Security Roles are applied to groups rather than users.
If you haven't created any groups yet, there are a few ways to do this. Most commonly, you'll create them manually under the Users > Groups tab or through a CSV import when importing users. See our Managing Groups article for more information.
Once you have groups set up, you can follow the steps below to create Security Role(s) for specific groups.
- Navigate to the Users tab within your console, then click the Security Roles tab.
- Click the +New Security Role button on the top-right of your screen.
- Name your Security Role, then select one or more groups to assign the Role to.
- Click the tabs next to Role Definition (General, Phishing, Training, Vishing) to select what permissions you'd like to apply to this particular Security Role. You can select as many as you'd like. See the Permissions Descriptions section below for details on what each permission includes.
On certain permissions, you can further limit the permissions to only include specific, "targeted groups". If you'd like to do that, after providing that permission, you can add groups to the Targeted Groups drop-down.
Important information about Targeted Groups:
Campaign data will only appear if the applied Security Role has access to ALL groups targeted by the campaign. For example, if there is a Phishing Campaign targeting groups A, B, and C, but the Security Role only provides Phishing Campaign access to groups A and B, that phishing campaign will NOT appear.
General Permissions (See Description)
Phishing Permissions (See Description)
Training Permissions (See Description)
Vishing Permissions (See Description) - Click the Create Security Role button when you are finished. Any users affected by the Security Roles you've defined will be able to access their designated areas instantly.
Managing Security Roles
You can manage your Security roles from within the Users > Security Roles tab of your console. Here you will see a list of all the Security Roles you've created.
To edit, clone, or delete Security Roles, click the downward-facing arrow towards the right of the Role you'd like to make changes to, and select Edit, Clone, or Delete.
Editing Security Roles
Alternatively, you can click the name of any Security Role to modify it. This will take you to the Access Profile for that particular Security Role, where you can grant or remove permissions as needed.
Cloning Security Roles
Clicking Clone will duplicate the Security Role's permissions and take you to the Access Profile for the "cloned" group. The word "Clone" will be automatically added to the Security Role Name. Modify the Name, Security Role Groups, permissions settings, and Targeted Groups as necessary, then click the Create Security Role button to save your "cloned" group.
Deleting Security Roles
Clicking Delete will permanently delete that Security Role from your console. This action cannot be undone.
Permissions Descriptions
Frequently Asked Questions (FAQs)
- I don't see the Security Roles tab on my console.
If your KnowBe4 account's subscription level is Platinum or Diamond, you should see the Security Roles tab available to you after clicking on the Users tab at the top of your console. If you are a Platinum or Diamond customer and still cannot locate the Security Roles tab, you can contact Support for assistance.
If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you. Not sure who your Customer Success Manager is? Our Support Team can assist you. - If a user is in two groups, each with separate Security Roles defined, what permissions will they get?
Permissions are additive, meaning the user will gain all the permissions you defined in the Security Roles for the groups they are a part of. Permissions will not be taken away from a user by giving them multiple Security Roles with differing permissions. - Can I provide someone the ability to create Security Roles?
Only Admins on your KnowBe4 account can create Security Roles. Admins will have access to all areas of the console. See: How to assign Admin functions - Does the Security Roles feature work with Smart Groups?
Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used carefully and for special cases.
You can also limit access for a Security Role by using the "Targeted Groups" feature to view/manage only specific Smart Groups. This feature will delegate the Security Role's permissions to only view/manage users who fit the specific criteria for that Smart Group.
When using Smart Groups and Security Roles, keep in mind that for any campaign/reports access you provide, associated campaigns must have targeted only the group(s) that the Security Role has access to or else they will not appear for that Security Role. - I want to allow my Security Role to import or delete users for specific groups only. Can I do this?
No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role for Users & Groups (which targets specific groups only) will not have the ability to import users.
Comments
0 comments
Article is closed for comments.