Using Security Roles
Our Security Roles feature, available to Platinum and Diamond customers, allows you to set the level of administrative permission for a specific user group. Security Roles can help you follow the principle of least privilege in your KMSAT console, ensuring that the various areas of your console are only accessible to users who need them.
For a short overview, check out our How to Use Security Roles video. For more specific information, continue reading or click the links below.
Jump to:
Setting Up Security Roles
Managing Security Roles
Permission Descriptions
Security Role Use Cases
Frequently Asked Questions (FAQs)
Setting Up Security Roles
First, you'll want to make sure you have set up groups in your console since Security Roles are applied to groups rather than users. See the Managing Groups section of our Users and Groups article for more information.
Once you have set up groups, you can follow the steps below to create Security Roles for specific groups:
- Navigate to the Users tab in your console, then click the Security Roles subtab.
- Click the +New Security Role button at the top-right corner of the screen.
- In the Security Role Name field, enter a name for this Security Role.
- Then, select one or more groups from the Groups drop-down menu to assign this role to.
- Navigate using the remaining subtabs and select the permissions you would like this Security Role to have. The remaining subtabs on the screen include permission options for the corresponding areas of your console. See the Permissions Descriptions section below for details on what each permission includes. For some permissions, you can further limit them to specific targeted groups.
Important: Users can only see training and phishing campaigns if the Security Role has access to all groups in the campaign.- If a user is individually or bulk-enrolled via CSV file, Security Role users will lose access to the campaign.
- Phishing data and phishing report data will only display if the Security Role has access to all groups in the campaign.
- Once you've selected the permissions, click the Create Security Role button. Any users affected by the Security Roles you've defined will gain access to the designated areas instantly.
Managing Security Roles
To manage your Security Roles, navigate to the Users tab of your KMSAT console and select the Security Roles subtab. All of your created Security Roles are listed here.
For more information about the Security Roles subtab, see the screenshot and list below:
- Search: Search for Security Roles by name or group.
- Security Role Name: Click the name of a Security Role to view and edit the permissions for that role.
- Groups: This column lists all groups with this Security Role assigned. Click the name of a group to see more details about that group.
- Users: This column displays the number of users with this Security Role assigned.
- Actions: Use the drop-down menu to edit, clone, or delete a Security Role. For more information, see the list below:
- Edit: View and edit the permissions for that role.
- Clone: Cloning a Security Role will open the Create Security Role screen. The same permissions from the cloned group will be selected automatically. You can modify the name, Security Role groups, permissions settings, and targeted groups as necessary. Then, you can click the Clone Security Role button to save your new group.
- Delete: Deleting a Security Role completely removes it from your console. This action cannot be undone.
Permissions Descriptions
Click any of the tabs below to learn more about the permissions available for that area of your console.
| Account Settings | No Access: This permission provides no access to the Account Settings area. |
| Read: This permission provides the ability to view all Account Settings. | |
| Read/Write: This permission provides all of the above access, plus the ability to view and modify all Account Settings. | |
| Users & Groups | No Access: This permission provides no access to the Users tab. |
|
Read: This permission provides access to the Users tab. This permission includes the ability to view the user list as well as individual user profiles, the ability to view groups and group membership, and the ability to view user provisioning information (if applicable). You can use the Targeted Groups drop-down menu to further limit access to the selected groups. If you select targeted groups, this role will not have access to the Import Users, Provisioning, or Merge Users subtabs. |
|
|
Read/Write: This permission provides all of the access granted above, plus the ability to create, modify, or delete users and groups. |
|
| ASAP | No Access: This permission provides no access to the ASAP tab. |
| Read: This permission provides access to the ASAP tab. This permission includes the ability to view the task list, calendar, and reports. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to reset ASAP and modify the task list, calendar, and start date. | |
| USB Campaigns | No Access: This permission provides no access to the USB tab. |
| Read: This permission provides access to the USB tab. Any groups with this permission can view existing USB drive test campaigns and reports. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete USB drive test campaigns. | |
| AIDA Campaigns | No Access: This permission provides no access to the AIDA tab. |
| Read: This permission provides access to the AIDA tab. Any groups with this permission can view existing AIDA campaigns and reports. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to create and delete AIDA campaigns. | |
| Second Chance | No Access: This permission provides no access to the Second Chance tab. |
| Read: This permission provides access to the Second Chance tab. Any groups with this permission can view users, devices, and settings. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to edit the Second Chance settings. | |
| Reporting | No Access: This permission provides no access to the Reports tab. |
| Show: This permission provides access to the Reports tab with the ability to create and download reports. |
| Phishing Campaigns | No Access: This permission provides no access to the Campaigns subtab in the Phishing tab. |
|
Read: This permission provides access to the Campaigns subtab in the Phishing tab. Any groups with this permission can view existing phishing campaigns and view and download reports. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
|
Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, hide, or delete phishing campaigns. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
| Phishing Templates | No Access: This permission provides no access to the Email Templates subtab in the Phishing tab. |
| Read: This permission provides access to the Email Templates subtab in the Phishing tab. This permission includes the ability to view available phishing templates and phishing template categories. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete phishing templates and phishing template categories. | |
| Phishing Landing Pages | No Access: This permission provides no access to the Landing Pages subtab in the Phishing tab. |
| Read: This permission provides access to the Landing Pages subtab in the Phishing tab. This permission includes the ability to view available landing pages and landing page categories. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete landing pages and landing page categories. | |
| Phishing Reports | No Access: This permission provides no access to the Reports subtab in the Phishing tab. |
|
Show: This permission provides access to the Reports subtab in the Phishing tab. This permission includes the ability to create and download aggregate phishing reports and view phishing campaign results. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
| Phishing Dashboard | No Access: Groups without this permission cannot view the Phishing section of the Dashboard tab. The Dashboard tab will only display if Phishing Dashboard permissions are granted. |
| Show: Groups with this permission can view the Phishing section of the Dashboard tab. Groups with this permission cannot click for additional data unless other Phishing permissions are provided. |
| Dashboard & Reports | No Access: This permission provides no access to the Dashboard and Reports subtabs in the SecurityCoach tab. |
| Show: This permission provides access to the Dashboard and Reports subtabs in the SecurityCoach tab. | |
|
Real-Time Coaching & SecurityTips
|
No Access: This permission provides no access to the Real-Time Coaching and SecurityTip subtabs in the SecurityCoach tab. |
|
Read: This permission provides access to the Real-Time Coaching and SecurityTip subtabs in the SecurityCoach tab. Groups with this permission can view existing real-time coaching campaigns on the Real-Time Coaching subtab and content on the SecurityTips subtab. |
|
| Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, or delete real-time coaching campaigns. | |
| Detection Rules | No Access: This permission provides no access to the Detection Rules subtab in the SecurityCoach tab. |
| Read: This permission provides access to view existing detection rules on the Detection Rules subtab in the SecurityCoach tab. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to create and edit detection rules. | |
| Setup | No Access: This permission provides no access to the Setup subtab in the SecurityCoach tab. |
| Read/Write: This permission provides access to the Setup subtab in the SecurityCoach tab. Groups with this permission can view and edit the configuration settings for SecurityCoach. |
| Training Campaigns | No Access: This permission provides no access to the Campaigns subtab in the Training tab. |
|
Read: This permission provides access to the Campaigns subtab in the Training tab. Groups with this permission can view existing training campaigns and view and download reports. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
|
Read/Manage: This permission provides all of the access granted above, plus the ability to manage campaigns by sending manual training notifications, passing and resetting the completion progress of users, and downloading individual training campaign reports. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
|
Full Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete training campaigns. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
| Training Notification Templates | No Access: This permission provides no access to the Notification Templates subtab in the Training tab. |
| Read: This permission provides access to the Notification Templates subtab in the Training tab. This permission includes the ability to view available training notifications and training notification categories. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to create, edit, and delete training notifications and training notification categories. | |
| Policy Management | No Access: This permission provides no access to the Policies subtab in the Training tab. |
| Read: This permission provides access to the Policies subtab in the Training tab. This permission includes the ability to view and preview uploaded policies. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to upload and publish new policies. | |
| Training Reports | No Access: This permission provides no access to the Reports subtab in the Training tab. |
|
Show: This permission provides access to the Reports subtab in the Training tab. This permission includes the ability to create, view, and download training-related reports. You can use the Targeted Groups drop-down menu to further limit access to the selected groups. |
|
| Training Dashboard | No Access: Groups without this permission cannot view the Training section of the Dashboard tab. The Dashboard tab will only display if Training Dashboard permissions are granted. |
| Show: Groups with this permission can view the Training section of the Dashboard tab. Groups with this permission cannot click for additional data unless other Training permissions are provided. |
| ModStore | No Access: This permission provides no access to the Browse subtab in the ModStore. |
| Read: This permission provides access to the ModStore tab. This permission includes the ability to browse and preview all available ModStore content. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to add content to the library and download items. | |
| Library | No Access: This permission provides no access to the Library subtab in the ModStore. |
| Read: This permission provides access to the Library subtab in the ModStore. This permission includes the ability to view and preview items in the library. | |
| Read/Write: This permission provides all of the access granted above, plus the ability to download items from the library. | |
| Uploaded Content | No Access: This permission provides no access to the Uploaded Content subtab in the ModStore. |
|
Read: This permission provides access to the Uploaded Content subtab in the ModStore. This permission includes the ability to view and preview uploaded content. |
|
| Read/Write: This permission provides all of the access granted above, plus the ability to upload and publish custom content. | |
| Brandable Content and Content Manager | No Access: No access to the Brandable Content and Content Manager subtabs in the ModStore. |
|
Read: Access to the Brandable Content and Content Manager subtabs in the ModStore. Ability to view applied Branded Themes and Content Manager settings. |
|
| Read/Write: All of the access granted above, plus the ability to create and apply Branded Themes as well as adjust Content Manager settings. |
| Reporting | No Access: This permission provides no access to the Reports tab. |
|
Read: This permission provides access to the Reports tab. This permission includes the ability to view Executive Reports and saved reports. |
|
| Read/Write: This permission provides all of the access granted above, plus the ability to create Executive Reports and saved reports. | |
| Phishing Reports | This permission provides access to selected phishing reports. |
| Training Reports | This permission provides access to selected training reports. |
| Other Reports | This permission provides access to other selected reports. |
| SecurityCoach Reports | This permission provides access to selected SecurityCoach reports. |
| Send Reports | No Access: This permission provides no access to send and schedule reports. |
| Read/Write: This permission provides the ability to send and schedule reports. | |
| Executive Reports | No Access: This permission provides no access to the Executive Reports subtab. |
|
Read: This permission provides access to the Executive Reports subtab. This permission includes the ability to view Executive Reports. |
|
| Read/Write: This permission provides all of the access granted above, plus the ability to create Executive Reports. |
Security Role Use Cases
Here are a few examples of how you can use Security Roles to limit console access based on your employees' job responsibilities or requirements. Click each use case drop-down menu for more information.
Be sure to consider your own organizational structure and needs when creating Security Roles for your KMSAT console.
Example: Provide the Human Resources group with the ability to add new users to the KMSAT console but without the ability to create or manage phishing and training campaigns.
Permissions: From the General subtab, select Read/Write for Users & Groups.
Example: Provide the Consultant group access to create phishing templates, landing pages, and training notifications, without allowing that individual to access any user, phishing, or training data.
Permissions: From the Phishing subtab, select Read/Write for Phishing Templates and Phishing Landing Pages.
From the Training subtab, select Read/Write for Training Notification Templates. 
Example: Provide the Compliance Managers group with the ability to see if users are completing training on time, download training-related reports, and send notifications to users and managers.
Permissions: From the Training subtab, select Read/Manage for Training Campaigns and select Show for Training Reports.
Example: Provide the Training Managers group with the ability to view all available content in the ModStore, add it to your account's library, and view the content in your library.
Permissions: From the ModStore subtab, select Read/Write for ModStore and Read for Library.
Example: Provide a manager with the ability to view the training statuses and phishing test results of a specific user group. The manager will not be able to view any campaign that the group is not enrolled in, any campaign that also has other groups enrolled in it, or any sensitive user information.
To assign a specific Security Role to this manager, we must first place the manager in a unique user group. We will also need a group made up of their users. We recommend creating a Smart Group based on the manager's name in the user's profile. See our How to Use Smart Groups article for more information.
Permissions: From the General subtab, select Read for Users & Groups. Then, select the corresponding group from the Targeted Groups drop-down menu.
From the Phishing subtab, select Read for Phishing Campaigns and Show for Phishing Reports. Then, select the corresponding group from the Targeted Groups drop-down menu.
From the Training subtab, select Read for Training Campaigns and Show for Training Reports. Then, select the corresponding group from the Targeted Groups drop-down menu.
Frequently Asked Questions (FAQs)
Below are the FAQs about Security Roles:
1. Question: I don't see the Security Roles subtab on my console.
Answer: If your subscription level is Platinum or Diamond, you should see the Security Roles subtab after clicking on the Users tab at the top of your console.
If you are a Platinum or Diamond customer and still cannot locate the Security Roles subtab, you can contact support for assistance. If you're not a Platinum or Diamond customer yet but you're interested in upgrading, your Customer Success Manager can assist you.
2. Question: If a user is in two groups, each with separate Security Roles defined, what permissions will they get?
Answer: Permissions are additive, which means that the user will gain all the permissions you defined in the Security Roles for the groups they are a part of.
Permissions will not be removed from a user by giving them multiple Security Roles with differing permissions.
3. Question: Can I provide someone the ability to create Security Roles?
Answer: Only admins in your KMSAT console can create Security Roles. Admins will have access to all areas of the console. For more information, see the How to Assign and Remove Admin Functions from a User article.
4. Question: Does the Security Roles feature work with Smart Groups?
Answer: Yes! You can apply Security Roles to Smart Groups if necessary, but this should only be used for special cases. When using Smart Groups and Security Roles, keep in mind that for any campaign access or reports access you provide associated campaigns must target any of the groups that the Security Role has access to only. Otherwise, they will not display for that Security Role.
You can also limit access for a Security Role by using the Targeted Groups field to view or manage specific Smart Groups.
5. Question: Can I allow my Security Role to import or delete users for specific groups only?
Answer: No, you can't limit the ability to import users to specific groups. If your permissions are limited to a particular group, you will be unable to take actions that affect multiple groups. Specifically, a Security Role with Users & Groups permissions that only targets specific groups will not have the ability to import users.
Comments
0 comments
Article is closed for comments.