What Are Security Roles?
Our Security Roles feature, available to Platinum and Diamond customers, allows you to set the level of administrative permission for a specific user group. This will help you follow the principle of least privilege in your KnowBe4 console, ensuring that the various areas of your KnowBe4 account are only accessible to those who need them.
For a short overview, check out our How to Use Security Roles video. For more in-depth information, continue reading or click the links below jump to a specific section of this article.
Jump to:
How to Set Up Security Roles
Managing Security Roles
Permission Descriptions
Security Role Use Cases
Frequently Asked Questions (FAQs)
How to Set Up Security Roles
First, you'll want to make sure you have groups set up in your console, as Security Roles are applied to groups rather than users. See the Managing Groups section of our Users and Groups article for more information.
Once you have groups set up, you can follow the steps below to create Security Roles for specific groups.
- Navigate to the Users tab within your console, then click the Security Roles subtab.
- From the top-right of the screen, click the +New Security Role button.
- Set a name for this Security Role and then select one or more groups from the drop-down to assign this role to.
- Navigate using the remaining subtabs and select the permissions you'd like this Security Role to have. The remaining subtabs on the screen include permission options for the corresponding areas of your console. See the Permissions Descriptions section below for details on what each permission includes.
- For some permissions, you can further limit them to specific targeted groups.
Important: Users can only see training and phishing campaigns if the Security Role has access to all groups in the campaign.- If a user is individually or CSV bulk enrolled Security Role users will lose access to the campaign.
- Phishing data and phishing report data will only appear if the Security Role has access to all groups in the campaign.
- For some permissions, you can further limit them to specific targeted groups.
- Once you've made all the necessary selections, click the Create Security Role button. Any users affected by the Security Roles you've defined will gain access to their designated areas instantly.
Managing Security Roles
To manage your Security roles, go to the Users tab of your KnowBe4 console and select the Security Roles subtab. All of your created Security Roles are listed here.
- Search: Search for Security Roles by name or group.
- Security Role Name: Click on a Security Role name to view and edit the permissions for that role.
- Groups: Lists all groups with this Security Role assigned. Click on a group name to see more details on that group.
- Users: This is the number of users with this Security Role assigned.
- Actions: Use the drop-down menu to edit, clone, or delete.
- Edit: View and edit the permissions for that role.
- Clone: Cloning a Security Role will open the New Security Role screen. The same permissions from the cloned group will already be selected for you. You can modify the Name, Security Role Groups, permissions settings, and Targeted Groups as necessary, then click the Create Security Role button to save your new group.
- Delete: Deleting a Security Role completely removes it from your console. This action cannot be undone.
Permissions Descriptions
Click a tab below to learn more about the permissions available for that area of your console.
| Account Settings | No Access: No access to the Account Settings area. |
| Read: Ability to view all Account Settings. | |
| Read/Write: All of the above access, plus the ability to view and modify all Account Settings. | |
| Users & Groups | No Access: No access to the Users tab. |
|
Read: Access to the Users tab. Ability to view the user list as well as individual user profiles. Ability to view groups and group membership. Ability to view user provisioning information (if applicable). Use the Targeted Groups drop-down menu to further limit access to only the selected groups. Note that by targeting groups, this role will not have access to the Import Users, Provisioning, or Merge Users subtabs. |
|
|
Read/Write: All of the access granted above, plus the ability to create, modify, or delete users and groups. |
|
| ASAP | No Access: No access to the ASAP tab. |
| Read: Access to the ASAP tab. Ability to view task list, calendar, and reports. | |
| Read/Write: All of the access granted above, plus the ability to reset ASAP and modify the task list, calendar, and start date. | |
| USB Campaigns | No Access: No access to the USB tab. |
| Read: Access to the USB tab. Can view existing USB drive test campaigns and reports. | |
| Read/Write: All of the access granted above, plus the ability to create, edit, and delete USB drive test campaigns. | |
| AIDA Campaigns | No Access: No access to the AIDA tab. |
| Read: Access to the AIDA tab. Can view existing AIDA campaigns and reports. | |
| Read/Write: All of the access granted above, plus the ability to create and delete AIDA campaigns. | |
| Second Chance | No Access: No access to the Second Chance tab. |
| Read: Access to the Second Chance tab. Can view users, devices, and settings. | |
| Read/Write: All of the access granted above, plus the edit the Second Chance settings. | |
| Reporting | No Access: No access to the Reports tab. |
| Show: Access to Reports with the ability to create and download reports. |
| Phishing Campaigns | No Access: No access to the Campaigns subtab in the Phishing area. |
|
Read: Access to the Campaigns subtab in the Phishing area. Can view existing phishing campaigns and view and download reports. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
|
Read/Write: All of the access granted above, plus the ability to create, edit, hide, or delete phishing campaigns. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
| Phishing Templates | No Access: No access to the Email Templates subtab in the Phishing area. |
| Read: Access to the Email Templates subtab in the Phishing area. Ability to view available phishing templates and phishing template categories. | |
| Read/Write: All of the access granted above, plus the ability to create, edit, and delete phishing templates and phishing template categories. | |
| Phishing Landing Pages | No Access: No access to the Landing Pages subtab in the Phishing area. |
| Read: Access to the Landing Pages subtab in the Phishing area. Ability to view available landing pages and landing page categories. | |
| Read/Write: All of the access granted above, plus the ability to create, edit, and delete landing pages and landing page categories. | |
| Phishing Reports | No Access: No access to the Reports subtab in the Phishing area. |
|
Show: Access to the Reports subtab in the Phishing area. Ability to create and download aggregate Phishing Reports and view Phishing campaign results. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
| Phishing Dashboard | No Access: Cannot view the Phishing portion of the Dashboard tab. The Dashboard tab will only appear if Phishing Dashboard permissions are granted. |
| Show: Can view the Phishing portion of the Dashboard. Cannot click for additional data unless other Phishing permissions are provided. |
| Dashboard & Reports | No Access: No access to the Dashboard and Reports subtabs in the SecurityCoach area. |
| Show: Access to the Dashboard and Reports tabs in the SecurityCoach area. | |
|
Real-Time Coaching & SecurityTips
|
No Access: No access to the Real-Time Coaching and SecurityTip subtabs in the SecurityCoach area. |
|
Read: Access to the Real-Time Coaching and SecurityTip subtabs in the SecurityCoach area. Can view existing real-time coaching campaigns on the Real-Time Coaching subtab and content on the SecurityTips subtab. |
|
| Read/Write: All of the access granted above, plus the ability to create, edit, or delete real-time coaching campaigns. | |
| Detection Rules | No Access: No access to the Detection Rules subtab in the SecurityCoach area. |
| Read: Access to view existing detection rules on the Detection Rules subtab in the SecurityCoach area. | |
| Read/Write: All of the access granted above, plus the ability to create and edit detection rules. | |
| Setup | No Access: No access to the Setup subtab in the SecurityCoach area. |
| Read/Write: Access to the Setup subtab in the SecurityCoach area. Can view and edit the configuration settings for SecurityCoach. |
| Training Campaigns | No Access: No access to the Campaigns subtab in the Training area. |
|
Read: Access to the Campaigns subtab in the Training area. Can view existing training campaigns and view and download reports. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
|
Read/Manage: All of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
|
Full Read/Write: All of the access granted above, plus the ability to create, edit, and delete training campaigns. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
| Training Notification Templates | No Access: No access to the Notification Templates subtab in the Training area. |
| Read: Access to the Notification Templates subtab in the Training area. Ability to view available training notifications and training notification categories. | |
| Read/Write: All of the access granted above, plus the ability to create, edit, and delete training notifications and training notification categories. | |
| Policy Management | No Access: No access to the Policies subtab in the Training area. |
| Read: Access to the Policies subtab in the Training area. Ability to view and preview uploaded policies. | |
| Read/Write: All of the access granted above, plus the ability to upload and publish new policies. | |
| Training Reports | No Access: No access to the Reports subtab in the Training area. |
|
Show: Access to the Reports subtab in the Training area. Ability to create, view, and download Training-related reports. Use the Targeted Groups drop-down menu to further limit access to only the selected groups. |
|
| Training Dashboard | No Access: Cannot view the Training portion of the Dashboard. The Dashboard tab will only appear if Training Dashboard permissions are granted. |
| Show: Can view the Training portion of the Dashboard. Cannot click for additional data unless other Training permissions are provided. |
| ModStore | No Access: No access to the Browse subtab in the ModStore. |
| Read: Access to the ModStore tab. Ability to browse and preview all available ModStore content. | |
| Read/Write: All of the access granted above, plus the ability to add content to the Library. | |
| Library | No Access: No access to the Library subtab in the ModStore. |
| Read: Access to the Library subtab in the ModStore. Ability to view and preview items in the Library. | |
| Read/Write: All of the access granted above, plus the ability to download items from the Library. | |
| Uploaded Content | No Access: No access to the Uploaded Content subtab in the ModStore. |
|
Read: Access to the Uploaded Content subtab in the ModStore. Ability to view and preview uploaded content. |
|
| Read/Write: All of the access granted above, plus the ability to upload and publish custom content. | |
| Brandable Content | No Access: No access to the Brandable Content subtab in the ModStore. |
|
Read: Access to the Brandable Content subtab in the ModStore. Ability to view applied Branded Themes. |
|
| Read/Write: All of the access granted above, plus the ability to create and apply Branded Themes. |
| Reporting | No Access: No access to the Reports tab. |
|
Read: Access to the Reports tab. Ability to view Executive Reports and Saved Reports. |
|
| Read/Write: All of the access granted above, plus the ability to create Executive Reports and Saved Reports. | |
| Phishing Reports | Provide access to selected phishing reports. |
| Training Reports | Provide access to selected training reports. |
| Other Reports | Provide access to other selected reports. |
| SecurityCoach Reports | Provide access to selected SecurityCoach reports. |
| Send Reports | No Access: No access to Send and Scheduled Reports. |
| Read/Write: Abilty to Send and Scheduled Reports. | |
| Executive Reports | No Access: No access to the Executive Reports subtab. |
|
Read: Access to the Executive Reports subtab. Ability to view Executive Reports. |
|
| Read/Write: All of the access granted above, plus the ability to create Executive Reports. |
Security Role Use Cases
Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Click on Use Case title for more information.
Be sure to consider your own organizational structure and needs when creating Security Roles for your KnowBe4 console.
Example: Provide the Human Resources group with the ability to add new users to the KnowBe4 console, but without the ability to create or manage phishing and training campaigns.
Permissions: From the General subtab, select Read/Write for Users & Groups.
Example: Provide the Consultant group access to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.
Permissions: From the Phishing subtab, select Read/Write for Phishing Templates and Phishing Landing Pages.
From the Training subtab, select Read/Write for Training Notification Templates. 
Example: Provide the Compliance Managers group with the ability to see if users are completing training on time, download training-related reports, and send notifications to users and managers.
Permissions: From the Training subtab, select Read/Manage for Training Campaigns and select Show for Training Reports.
Example: Provide the Training Managers group with the ability to view all available content in the ModStore, add it to your account's Library, and view the content in your Library.
Permissions: From the ModStore subtab, select Read/Write for ModStore and Read for Library.
Example: Provide a manager with the ability to view the training statuses and phishing test results of a specific user group. The manager will not be able to view any campaign that the group is not enrolled in, any campaign that also has other groups enrolled in it, or any sensitive user information.
To assign a specific Security Role to this manager, we must first place the manager in a unique user group. We will also need a group made up of her users. We recommend creating a Smart Group based on the manager's name in the user's profile. See our How to Use Smart Groups article for more information.
Permissions: From the General subtab, select Read for Users & Groups. Then, select the corresponding group from the Targeted Group drop-down.
From the Phishing subtab, select Read for Phishing Campaigns and Show for Phishing Reports. Then, select the corresponding group from the Targeted Group drop-down.
From the Training subtab, select Read for Training Campaigns and Show for Training Reports. Then, select the corresponding group from the Targeted Group drop-down.
Frequently Asked Questions (FAQs)
Q: I don't see the Security Roles tab on my console.
- A: If your KnowBe4 account's subscription level is Platinum or Diamond, you should see the Security Roles tab available to you after clicking on the Users tab at the top of your console.
If you are a Platinum or Diamond customer and still cannot locate the Security Roles tab, you can contact Support for assistance. If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you.
Q: If a user is in two groups, each with separate Security Roles defined, what permissions will they get?
- A: Permissions are additive, meaning the user will gain all the permissions you defined in the Security Roles for the groups they are a part of.
Permissions will not be taken away from a user by giving them multiple Security Roles with differing permissions.
Q: Can I provide someone the ability to create Security Roles?
- A: Only Admins on your KnowBe4 account can create Security Roles. Admins will have access to all areas of the console. See: How to assign Admin functions
Q: Does the Security Roles feature work with Smart Groups?
- A: Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used for special cases. When using Smart Groups and Security Roles, keep in mind that for any campaign/reports access you provide, associated campaigns must have targeted only the group(s) that the Security Role has access to or else they will not appear for that Security Role.
You can also limit access for a Security Role by using the Targeted Groups feature to view/manage specific Smart Groups.
Q: I want to allow my Security Role to import or delete users for specific groups only. Can I do this?
- A: No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role for Users & Groups (which targets specific groups only) will not have the ability to import users.
Comments
0 comments
Article is closed for comments.