What are Security Roles?
Our Security Roles feature, available to Platinum and Diamond customers, allows you to define the level of access and administrative ability that you'd like specific user groups to have.
This feature helps you follow the principle of least privilege in your KnowBe4 console, ensuring that the various areas of your KnowBe4 account are only accessible to those who need them.
The article goes into depth about Security Roles. For a short overview, check out our Security Roles video.
How to Set Up
Managing Security Roles
Frequently Asked Questions (FAQ)
Use Cases for Security Roles
Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Be sure to consider your own organizational structure and needs when creating Security Roles for your KnowBe4 console.
Use Case #1: Need to Add, Manage, and Delete Users
Need: To provide Human Resources or IT with the ability to add new users to your KnowBe4 console, but without the ability to create or manage phishing and training campaigns.
Solution: Create a Security Role providing Read/Write access to Users & Groups. This allows them to add, manage, and delete users and groups in your console as needed.
Use Case #2: Need to Create Phishing Templates, Landing Pages, and Training Notifications
Need: To provide creative control to a consultant or other internal employee to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.
Solution: Create a Security Role providing Read/Write access to Phishing Templates, Landing Pages, and Training Notifications.
Use Case #3: Need to Review Employee Completion of Assigned Security Training for Compliance or Onboarding Purposes
Need: To provide Training or Compliance group with the ability to see if users are completing their annual security awareness training on time, download training-related reports, and send notifications to users and managers to ensure everyone is in compliance with organization policy.
Solution: Create a Security Role providing Read/Manage access to Training Campaigns and Read Only access to Training Reports.
Use Case #4: Need to Review ModStore Training Content
Need: To provide Training, Compliance, or HR group with the ability to review all the available ModStore content, for the purpose of creating a training plan for the year.
Solution: Create a Security Role providing Browse access to ModStore.
Use Case #5: Manager Needs to View Employee Training Status/Completion or Phishing Test Results
Need: To provide a specific manager with the ability to review their employees' progress/status on training campaigns as well as phishing test results, without allowing them to view other employee data.
Solution: Place that manager in a unique group, then apply a Security Role to that group that provides Read Only access to Phishing Campaigns, Phishing Reports, Users & Groups, Training Campaigns, and Training Reports for the targeted group. (Don't have a group with this manager's users in it yet? You can use Smart Groups to automatically create a group based on user information, such as manager name.)
How to Set Up Security Roles
First, you'll want to make sure you have groups set up in your console, as Security Roles are applied to groups rather than users.
If you haven't created any groups yet, there are a few ways to do this. Most commonly, you'll create them manually under the Users-->Groups tab or through a CSV import when importing users. See our Managing Groups article for more information.
Once you have groups set up, you can follow the below steps to create Security Role(s) for specific groups.
- Navigate to the Users tab within your console, then click the Security Roles tab.
- Click the "+New Security Role" button on the top-right of your screen.
- Name your Security Role, then select one or more groups to assign the Role to.
- Click the tabs next to Role Definition (General, Phishing, Training, Vishing) to select what permissions you'd like to apply to this particular Security Role. You can select as many as you'd like. See the Permissions Descriptions section below for details on what each permission includes.
On certain permissions, you can further limit the permissions to only include specific, "targeted groups". If you'd like to do that, after providing that permission, you can add groups to the Targeted Groups drop-down.
Important information about Targeted Groups:
Campaign data will only appear if the applied Security Role has access to ALL groups targeted by the campaign. For example, if there is a Phishing Campaign targeting groups A, B, and C, but the Security Role only provides Phishing Campaign access to groups A and B, that phishing campaign will NOT appear.
General Permissions (See Description)
Phishing Permissions (See Description)
Training Permissions (See Description)
Vishing Permissions (See Description)
- Click the "Create Security Role" button when you are finished. Any users affected by the Security Roles you've defined will be able to access their designated areas instantly.
Managing Security Roles
You can manage your Security roles from within the Users --> Security Roles tab of your console. Here you will see a list of all the Security Roles you've created.
To edit or delete Security Roles, click the downward-facing arrow towards the right of the Role you'd like to make changes to and select either "Edit" or "Delete". You can also click the name of any Security Role to modify it. This will take you to the Access Profile for that particular Security Role, where you can grant or remove permissions as needed.
Frequently Asked Questions (FAQs)
- I don't see the Security Roles tab on my console.
If your KnowBe4 account's subscription level is Platinum or Diamond, you should see the Security Roles tab available to you after clicking on the Users tab at the top of your console. If you are a Platinum or Diamond customer and still cannot locate the Security Roles tab, you can contact Support for assistance.
If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you. Not sure who your Customer Success Manager is? Our Support Team can assist you.
- If a user is in two groups, each with separate Security Roles defined, what permissions will they get?
Permissions are additive, meaning the user will gain all the permissions you defined in the Security Roles for the groups they are a part of. Permissions will not be taken away from a user by giving them multiple Security Roles with differing permissions.
- I have a lot of Security Roles, users, and groups created. How do I know what Security Roles apply to what users?
You can see what Security Roles are applied to a user by accessing that user's individual profile page. You can access their profile by clicking their email address after navigating to the Users tab of your console.
- Can I provide someone the ability to create Security Roles?
Only Admins on your KnowBe4 account can create Security Roles. Admins will have access to all areas of the console. See: How to assign Admin functions
- Does the Security Roles feature work with Smart Groups?
Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used carefully and for special cases.
You can also limit access for a Security Role by using the "Targeted Groups" feature to view/manage only specific Smart Groups. This feature will delegate the Security Role's permissions to only view/manage users who fit the specific criteria for that Smart Group.
When using Smart Groups and Security Roles, keep in mind that for any campaign/reports access you provide, associated campaigns must have targeted only the group(s) that the Security Role has access to or else they will not appear for that Security Role.