Security Roles

Security Roles Guide

Our Security Roles feature, available to Platinum and Diamond customers, allows you to set the level of administrative permission for a specific user group. Security Roles can help you follow the principle of least privilege in your KSAT console, ensuring that the various areas of your console are only accessible to users who need them.

For a short overview, check out our How to Use Security Roles video. For more specific information, continue reading or click the links below.

Setting Up Security Roles

First, you'll want to make sure you have set up groups in your console since Security Roles are applied to groups rather than users. See the Managing Groups section of our Users and Groups article for more information.

Once you have set up groups, you can follow the steps below to create Security Roles for specific groups:

  1. Navigate to the Users tab in your console, then click the Security Roles subtab.
  2. Click the +New Security Role button at the top-right corner of the screen.
  3. In the Security Role Name field, enter a name for this Security Role.
  4. Then, select one or more groups from the Groups drop-down menu to assign this role to.
  5. Navigate using the remaining subtabs and select the permissions you would like this Security Role to have. The remaining subtabs on the screen include permission options for the corresponding areas of your console. See the Permissions Descriptions section below for details on what each permission includes. For some permissions, you can further limit them to specific targeted groups.
    Important:Users can only see training and phishing campaigns if the Security Role has access to all groups in the campaign.
    • If a user is individually or bulk-enrolled via CSV file, Security Role users will lose access to the campaign.
    • Phishing data and phishing report data will only display if the Security Role has access to all groups in the campaign.
  6. Once you've selected the permissions, click the Create Security Role button. Any users affected by the Security Roles you've defined will gain access to the designated areas instantly.

Managing Security Roles

To manage your Security Roles, navigate to the Users tab of your KSAT console and select the Security Roles subtab. All of your created Security Roles are listed here.

For more information about the Security Roles subtab, see the screenshot and list below:

  1. Search: Search for Security Roles by name or group.
  2. Security Role Name: Click the name of a Security Role to view and edit the permissions for that role.
  3. Groups: This column lists all groups with this Security Role assigned. Click the name of a group to see more details about that group.
  4. Users: This column displays the number of users with this Security Role assigned.
  5. Actions: Use the drop-down menu to edit, clone, or delete a Security Role. For more information, see the list below:
    • Edit: View and edit the permissions for that role.
    • Clone: Cloning a Security Role will open the Create Security Role screen. The same permissions from the cloned group will be selected automatically. You can modify the name, Security Role groups, permissions settings, and targeted groups as necessary. Then, you can click the Clone Security Role button to save your new group.
    • Delete: Deleting a Security Role completely removes it from your console. This action cannot be undone.

Permissions Descriptions

Click any of the tabs below to learn more about the permissions available for that area of your console.

Note: All users with any level of Security Role access will automatically be given access to the Reports tab and Download Center.
Account Settings No Access: This permission provides no access to the Account Settings area.
Read: This permission provides the ability to view all Account Settings.
Read/Write: This permission provides all of the above access, plus the ability to view and modify all Account Settings.
Audit Log No Access: This permission provides no access to the Audit Log page.
Show: This permission provides access to the Audit Log page. This permission includes the ability to view detailed information about changes made in your KSAT console up to 180 days in the past. This information includes what changes occurred, which user made the changes, and where the changes happened in the console.
Users & Groups No Access: This permission provides no access to the Users tab.

Read: This permission provides access to the Users tab. This permission includes the ability to view the user list as well as individual user profiles, the ability to view groups and group membership, and the ability to view user provisioning information (if applicable).

You can use the Targeted Groups drop-down menu to further limit access to the selected groups. If you select targeted groups, this role will not have access to the Import Users, Provisioning, or Merge Users subtabs.

Read/Write: This permission provides all of the access granted above, plus the ability to create, modify, or delete users and groups.You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

If you select targeted groups, this role will not have access to the Import Users, Provisioning, or Merge Users subtabs. You will be able to modify user information for users in any of your targeted groups, but no other user management ability will be available.

ASAP No Access: This permission provides no access to the ASAP tab.
Read: This permission provides access to the ASAP tab. This permission includes the ability to view the task list, calendar, and reports.
Read/Write: This permission provides all of the access granted above, plus the ability to reset ASAP and modify the task list, calendar, and start date.
USB Campaigns No Access: This permission provides no access to the USB tab.
Read: This permission provides access to the USB tab. Any groups with this permission can view existing USB drive test campaigns and reports.
Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete USB drive test campaigns.
Physical QR Campaigns No Access: This permission provides no access to the Physical QR Code tab.
Read: This permission provides access to the Physical QR Code tab. Any groups with this permission can view existing physical QR code campaigns and templates.
Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete physical QR code campaigns.
Second Chance No Access: This permission provides no access to the Second Chance tab.
Read: This permission provides access to the Second Chance tab. Any groups with this permission can view users, devices, and settings.
Read/Write: This permission provides all of the access granted above, plus the ability to edit the Second Chance settings.
PasswordIQ No Access: This permission provides no access to the PasswordIQ tab.
Read/Write: This permission provides access to the PasswordIQ tab. Groups with this permission can view and interact with PasswordIQ data.
Phishing Campaigns No Access: This permission provides no access to the Campaigns subtab in the Phishing tab.

Read: This permission provides access to the Campaigns subtab in the Phishing tab. Any groups with this permission can view existing phishing campaigns and view and download reports.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, hide, or delete phishing campaigns.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Phishing Templates No Access: This permission provides no access to the Email Templates subtab in the Phishing tab.
Read: Allow users to view or modify the Phishing > Phishing Templates subtab.
Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete phishing templates and phishing template categories.
Phishing Landing Pages No Access: This permission provides no access to the Landing Pages subtab in the Phishing tab.
Read: This permission provides access to the Landing Pages subtab in the Phishing tab. This permission includes the ability to view available landing pages and landing page categories.
Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete landing pages and landing page categories.
Phishing Reports No Access: This permission provides no access to the Reports subtab in the Phishing tab.

Show: This permission provides access to the Reports subtab in the Phishing tab. This permission includes the ability to create and download aggregate phishing reports and view phishing campaign results.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Phishing Dashboard No Access: Groups without this permission cannot view the Phishing section of the Dashboard tab. The Dashboard tab will only display if Phishing Dashboard permissions are granted.
Show: Groups with this permission can view the Phishing section of the Dashboard tab. Groups with this permission cannot click for additional data unless other Phishing permissions are provided.
Dashboard & Reports No Access: This permission provides no access to the Dashboard and Reports subtabs in the SecurityCoach tab.
Show: This permission provides access to the Dashboard and Reports subtabs in the SecurityCoach tab.

Real-Time Coaching & SecurityTips

No Access: This permission provides no access to the Real-Time Coaching and SecurityTip subtabs in the SecurityCoach tab.

Read: This permission provides access to the Real-Time Coaching and SecurityTip subtabs in the SecurityCoach tab. Groups with this permission can view existing real-time coaching campaigns on the Real-Time Coaching subtab and content on the SecurityTips subtab.

Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, or delete real-time coaching campaigns.
Detection Rules No Access: This permission provides no access to the Detection Rules subtab in the SecurityCoach tab.
Read: This permission provides access to view existing detection rules on the Detection Rules subtab in the SecurityCoach tab.
Read/Write: This permission provides all of the access granted above, plus the ability to create and edit detection rules.
Setup No Access: This permission provides no access to the Setup subtab in the SecurityCoach tab.
Read/Write: This permission provides access to the Setup subtab in the SecurityCoach tab. Groups with this permission can view and edit the configuration settings for SecurityCoach.
Training Campaigns No Access: This permission provides no access to the Campaigns subtab in the Training tab.

Read: This permission provides access to the Campaigns subtab in the Training tab. Groups with this permission can view existing training campaigns and view and download reports.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Read/Manage: This permission provides all of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Full Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete training campaigns.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Allow Security Role users to enroll additional users in training campaigns: When enabled, users assigned this Security Role can use the enroll users feature. This feature allows them to enroll individual users in active training campaigns. If you selected targeted groups, only users in those groups can be enrolled using this feature.

Note:Users with this Security Role permission who don't have access to All Users will only see training campaigns for the targeted groups they have access to. Any users outside of the targeted groups will have their enrollments hidden within the training campaign.
Training Notification Templates No Access: This permission provides no access to the Notification Templates subtab in the Training tab.
Read: This permission provides access to the Notification Templates subtab in the Training tab. This permission includes the ability to view available training notifications and training notification categories.
Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete training notifications and training notification categories.
Policy Management No Access: This permission provides no access to the Policies subtab in the Training tab.
Read: This permission provides access to the Policies subtab in the Training tab. This permission includes the ability to view and preview uploaded policies.
Read/Write: This permission provides all of the access granted above, plus the ability to upload and publish new policies.
Training Reports No Access: This permission provides no access to the Reports subtab in the Training tab.

Show: This permission provides access to the Reports subtab in the Training tab. This permission includes the ability to create, view, and download training-related reports.

You can use the Targeted Groups drop-down menu to further limit access to the selected groups.

Training Dashboard No Access: Groups without this permission cannot view the Training section of the Dashboard tab. The Dashboard tab will only display if Training Dashboard permissions are granted.
Show: Groups with this permission can view the Training section of the Dashboard tab. Groups with this permission cannot click for additional data unless other Training permissions are provided.
ModStore No Access: This permission provides no access to the Browse subtab in the ModStore.
Read: This permission provides access to the ModStore tab. This permission includes the ability to browse and preview all available ModStore content.
Read/Write: This permission provides all of the access granted above, plus the ability to add content to the library and download items.
Library No Access: This permission provides no access to the Library subtab in the ModStore.
Read: This permission provides access to the Library subtab in the ModStore. This permission includes the ability to view and preview items in the library.
Read/Write: This permission provides all of the access granted above, plus the ability to download items from the library.
Uploaded Content No Access: This permission provides no access to the Uploaded Content subtab in the ModStore.

Read: This permission provides access to the Uploaded Content subtab in the ModStore. This permission includes the ability to view and preview uploaded content.

Read/Write: This permission provides all of the access granted above, plus the ability to upload and publish custom content.
Brandable Content and Content Manager No Access: No access to the Brandable Content and Content Manager subtabs in the ModStore.

Read: Access to the Brandable Content and Content Manager subtabs in the ModStore. Ability to view applied Branded Themes and Content Manager settings.

Read/Write: All of the access granted above, plus the ability to create and apply Branded Themes as well as adjust Content Manager settings.
Reports No Access: This permission provides access to the Reports tab and Download Center. It does not include the ability to view executive reports and saved reports.

Read: This permission provides all of the access granted above, plus the ability to view executive reports and saved reports.

Read/Write: This permission provides all the access granted above, plus the ability to create and save executive reports.
Phishing Reports This permission provides access to selected phishing reports.
Training Reports This permission provides access to selected training reports.
Other Reports This permission provides access to other selected reports.
SecurityCoach Reports This permission provides access to selected SecurityCoach reports.
Send Reports
Important: Reporting Read access or Executive Report Read access is required for this permission.
No Access: This permission provides no access to send and schedule reports.
Read/Write: This permission provides the ability to send and schedule reports.
Executive Reports No Access: This permission provides no access to the Executive Reports subtab.

Read: This permission provides access to the Executive Reports subtab. This permission includes the ability to view Executive Reports.

Read/Write: This permission provides all of the access granted above, plus the ability to create Executive Reports.

Security Role Use Cases

Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Click each use case drop-down menu for more information.

Be sure to consider your own organizational structure and needs when creating Security Roles for your KSAT console.

  • Example: Provide the Human Resources group with the ability to add new users to the KSAT console but without the ability to create or manage phishing and training campaigns.

    Permissions:From the General subtab, select Read/Write for Users & Groups.

  • Example:Provide the Consultant group access to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.

    Permissions: From the Phishing subtab, select Read/Write for Phishing Templates and Phishing Landing Pages.

    From the Training subtab, select Read/Write for Training Notification Templates.

  • Example: Provide the Compliance Managers group with the ability to see if users are completing training on time, download training-related reports, and send notifications to users and managers.

    Permissions: From the Training subtab, select Read/Manage for Training Campaigns and select Show for Training Reports.

  • Example: Provide the Training Managers group with the ability to view all available content in the ModStore, add it to your account's library, and view the content in your library.

    Permissions: From the ModStore subtab, select Read/Write for ModStore and Read for Library.

  • Example: Provide a manager with the ability to view the training statuses and phishing test results of a specific user group. The manager will not be able to view any campaign that the group is not enrolled in, any campaign that also has other groups enrolled in it, or any sensitive user information.

    To assign a specific Security Role to this manager, we must first place the manager in a unique user group. We will also need a group made up of their users. We recommend creating a Smart Group based on the manager's name in the user's profile. See our Smart Groups Overview for more information

    Permissions: From the General subtab, select Read for Users & Groups. Then, select the corresponding group from the Targeted Groups drop-down menu.

    From the Phishing subtab, select Read for Phishing Campaigns and Show for Phishing Reports. Then, select the corresponding group from the Targeted Groups drop-down menu.

    From the Training subtab, select Read for Training Campaigns and Show for Training Reports. Then, select the corresponding group from the Targeted Groups drop-down menu.

Frequently Asked Questions (FAQs)

Below are the FAQs about Security Roles:

  1. Question: I don't see the Security Roles subtab on my console.

    Answer: If your subscription level is Platinum or Diamond, you should see the Security Roles subtab after clicking on the Users tab at the top of your console.

    If you are a Platinum or Diamond customer and still cannot locate the Security Roles subtab, you can contact support for assistance. If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you.

  2. Question: If a user is in two groups, each with separate Security Roles defined, what permissions will they get?

    Answer: Permissions are additive, which means that the user will gain all the permissions you defined in the Security Roles for the groups they are a part of.

    Permissions will not be removed from a user by giving them multiple Security Roles with differing permissions.

  3. Question: Can I provide someone the ability to create Security Roles?

    Answer: Only admins in your KSAT console can create Security Roles. Admins will have access to all areas of the console. For more information, see the How to Assign and Remove Admin Functions from a User article.

  4. Question: Does the Security Roles feature work with Smart Groups?

    Answer: Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used for special cases. When using Smart Groups and Security Roles, keep in mind that for any campaign access or reports access you provide associated campaigns must target any of the groups that the Security Role has access to only. Otherwise, they will not display for that Security Role.

    You can also limit access for a Security Role by using the Targeted Groups field to view or manage specific Smart Groups.

  5. Question: Can I allow my Security Role to import or delete users for specific groups only?

    Answer: No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role with Users & Groups permissions that only targets specific groups will not have the ability to import users.

Can't find what you're looking for?

Contact Support