Creating Accounts and Managing Users

The KCM governance, risk, and compliance platform (KCM GRC) offers a role-based access control (RBAC) model for the various user accounts needed by your organization in order to implement, manage, and carry out workflows in your console. With this RBAC model, users can complete the job functions required of their role without having access to privileged or unnecessary information.

You can grant multiple user roles to one individual, allowing users to work across the different modules available for your account. For more information, see: What modules are available in the KCM GRC console and what do they do?

Refer to the sections below to learn more about working with users in KCM GRC.

Jump to:

User Role Use Cases

Creating New Users

Importing Users

Managing Users

Update User Details
Confirming User Accounts
Resending Account Confirmation Emails
Disabling Users and Transferring Responsibilities

User Role Use Cases

Users can submit evidence for compliance controls, create risk assessments and risk mitigation controls, distribute and manage your organization's internal policies, or complete other workflows in your KCM GRC account.

Refer to the use cases below to help you decide which user role or roles are best fit for accomplishing the governance, risk, and compliance efforts of your organization. For a full explanation of each user role, please see our KCM GRC: User Roles article.

Responsibilities	User Role
The user should be able to do the following in KCM GRC: Add or import the necessary governance: laws, regulations, frameworks, etc. Create templates and scopes that contain the necessary governance requirements or objectives Use reporting features to monitor and assess the organization's state of compliance	Account Administrator
The user should be able to do the following in KCM GRC: Create internal controls for the requirements in a scope, or map the requirements to existing controls. Create task schedules and delegate tasks for meeting control objectives Monitor adherence to compliance controls Create and monitor response plans for audit findings	Scope Administrator
The user should be able to do the following in KCM GRC: Submit evidence for compliance control tasks	Contributor
The user should be able to do the following in KCM GRC: Add and update our organization's policies Distribute policies to employees and track acknowledgments	Policy Administrator
The user should be able to do the following in KCM GRC: Distribute policies to employees and track acknowledgments	Campaign Administrator
The user should be able to do the following in KCM GRC: Identify and assess risks in the Risk Wizard Add risks to the Risk Register Assess and manage risks in the Risk Register Create controls to monitor or mitigate risks Map controls to risks in the Risk Register	Risk Administrator
The user should be able to do the following in KCM GRC: Review control evidence from the Documents page Review controls and tasks using the compliance and scope reports found under the Metrics page	Auditor
The user should be able to do the following in KCM GRC: Create Vendor Profiles and Vendor Contacts in order to send questionnaires Create and send questionnaires to vendors Review questionnaires and create questionnaire issues	Vendor Administrator

See the next section to learn how to create new users in your KCM GRC console.

Creating New Users

Follow the steps below to create a new user to work in one or more of the modules in your account.

Note: If you're using KCM's Policy Management module to manage internal policy acknowledgments, you will use a different method to add end users to your KCM GRC account. See our Policy Management article for more information.

To add a new user to your console, click Settings in the top-right area of your account, then select Create New User, as shown below.
Add the information outlined below:
1. First Name: Enter the user's first name. The user will be addressed by their first name in the automated emails sent from your KCM GRC account.
2. Last Name: Enter the user's last name.
3. Email: Enter the user's business email.
  
  Important:
  
  The user must be able to receive email at this address in order to confirm their account.
4. Telephone: Use the flag drop-down menu to select the telephone format for your country, then enter the user's phone number.
5. User Roles: Click the drop-down menu to choose one or more user roles. Please refer to our User Roles article for details on the permission sets for each role.
  
  Note:
  
  If you grant the user an Account Administrator user role, then later need to downgrade the user's permissions, you'll need to contact our support team at support@knowbe4.com in order to do so.
  - Allowed Scopes (Scope Administrator and Auditor roles only): From the drop-down menu, select the scopes that you'd like the user to have access to.
  - Allowed Campaigns (Campaign Administrator and Auditor roles only): From the drop-down menu, select the policy campaigns that you'd like the user to have access to.
6. Create: Click this button once you've added the details above.

Once you've created the user, you're brought to the User Management page where you can view and manage the user's details. See the Managing Users section of this article to learn more.

Importing Users

If you are creating multiple user accounts at once, you can save time by importing users with a CSV file. By default, imported user accounts are created with a Contributor user role. You can change or add additional user roles after you have imported your users.

Follow the steps below to import users and create user accounts.

From the Manage Users page (Settings > Manage Users), click the Import button at the top of the page.
From the Import Items window, use the Click to Upload button to locate your CSV file.

CSV file prerequisites:
- The file should be a valid CSV with a comma (,) separator.
  
  Note:
  If you are using Excel, your file must be saved in the CSV UTF-8 format.
- The following header line is required:
  email,first_name,last_name
- The field size limitations are as follows:
  - email: 255 character limit
  - first_name: 255 character limit
  - last_name: 255 character limit
    
    Tip:
    Use the Download Example CSV button to see an example of how the CSV file should be formatted. You can also click Learn More to see details about the CSV file format.
Once you've selected the file, you can review the users before adding the new accounts. Use the search fields to search for a specific user (shown below). Click the trash can icon if you would like to remove a user from the import.
When you're ready to add the user accounts, click the Import Items button.

Note:

Once users are imported they will immediately receive an email to activate their account.

The imported user accounts are created with a Contributor user role. Until they have been assigned to one or more tasks, Contributors are unable to access data in your KCM GRC platform (see this article for more information). If you'd like to change this user role, see the Managing Users section for instructions.

Managing Users

If you're an account administrator, navigate to the Manage Users page to view, manage, or modify details for the users in your account.

To navigate to the Manage Users page, from the top-right of your account, select Settings > Manage Users.

The Manage Users page offers high-level details about the users in your account.

Manage Users Table

If you have created one or more user groups for your Compliance Management module, click the checkbox for each user that you want to add to a group. Then, select the desired group from the Select a Group drop-down menu, and then, click Add Selected To Group.
- To learn about working with user groups in the Compliance Management module, please see our Working with User Groups article.
The Status column tells you if the user account is Active, Awaiting Confirmation, or Disabled.
- See the Confirming User Accounts section below for more information on account confirmation.
The Date Updated column shows the last date that any changes were made to the user's account (such as email address, phone number, user role, and so on.).
Click the disable user icon () in the far-right column to disable the user and transfer their responsibilities to a different user.
- Learn more in the Disabling Users and Transferring Responsibilities section, below.
To view or update a user's information, click the pencil icon () in the far right column.
- This will bring you to the User Management page. Learn more in the next section.

Update User Details

If you're an account administrator, navigate to a user's profile to update their personal information or their account settings, such as granting an additional user role or granting access to additional scopes.

To open a user's profile, from the Manage Users page (shown in the previous section), click the appropriate pencil icon under the Actions column. Then, see the details below to learn about the settings that are available on the User Management page.

Note:

If you're not an account administrator and you'd like to update your own account information, click your name at the top-right of your account, then click Profile, (click to view example).

User Management Page

A user can navigate to their own user profile page and click the Set Up MFA button to connect their account with their multi-factor authentication (MFA) application.
- For details about configuring MFA for your own account, mandating MFA for individual accounts, and mandating MFA for all user accounts, see our Enable and Set Up Multi-factor Authentication article.
Click the Disable User button to disable the user account and transfer their responsibilities to another user. For more information, see the Disabling Users and Transferring Responsibilities section below.
This widget provides an overview of the user's responsibilities in your KCM GRC console.
- Scopes: If the user is a Scope Administrator or an Auditor, this area shows the number of scopes that the user has been granted access to.
- Policy Campaigns: If the user is a Campaign Administrator or an Auditor, this shows the number of policy management campaigns the user has been granted access to.
- Tasks: When applicable, this shows the number of tasks the user is currently assigned to. For more information, see: Working with Task Schedules for Controls.
- Compliance Percentage: When applicable, this shows the percentage of this user's assigned tasks that were satisfied on time.
Click the Task History tab to see all of the tasks the user is currently assigned to and the tasks the user has satisfied in the past.
- The Task History table lists the following information for all tasks that the user is the User Responsible for:
  - Name: The task name. The task may have the same name as the associated control.
  - Due At: The date the task evidence is (or was) due.
  - Completed On: The date the task was marked as complete.
  - Status: The current task status (Failed, Past Due, Active, Satisfied, or Closed Late)
  - Stage: The current phase of satisfying the task (Awaiting Approval, Approved, or Open).
    - All failed, or otherwise unsatisfied tasks will show the Open stage.
    - All closed tasks will show the Approved stage.
The Audit Trail tab logs actions that the user has made in your KCM GRC account.
User Roles: Use the drop-down menu to add additional user roles. To remove a user role, click the x to the right of the role name.
Allowed Scopes (Scope Administrator user roles): Use the drop-down menu to search for or select the scopes you'd like the user to have access to.
Allowed Campaigns (Campaign Administrator user roles): Use the drop-down menu to search for or select the policy campaigns you'd like your users to have access to.
Require MFA: If you are an account administrator, click the slider button to mandate MFA for this user's account.
- Before changing this setting, ensure the user has installed an authenticator application. The user will be required to set up their MFA application the next time they log in to their account. For more information see our Enable and Set Up Multi-Factor Authentication article.

Be sure to click the Save button after making changes.

Confirming User Accounts

Once you've created a new user, they must confirm their account before they log in. The user will receive an account confirmation email at the address you specified when creating the user.

For details about activating a user account, see: KCM GRC: Account Activation, Account Access, and Resetting Your Password.

If the user did not receive the account confirmation email, be sure they've checked their Spam or Junk folder. If you need to resend the activation email to your user, see the next section for instructions.

Resending Account Confirmation Emails

If you are an account administrator and your user has not received an email to confirm their account, follow the steps below to resend their account confirmation email.

Navigate to the User Management page by selecting Settings in the top-right area of your account, then click Manage Users, as shown below.
From the Manage Users page, find the user who needs the confirmation email, and click the update user icon in the far-right column (shown below).
From the User Management page, click the Resend Activation button on the left-hand side, as shown below.
Select Yes to the Are you sure you want to reconfirm this user? prompt.

The user should receive the activation email momentarily. If the user did not receive the account confirmation email, be sure they've checked their Spam or Junk folder.

See this article for specifics about account activation when SSO/SAML is configured for your account. Still having trouble? Reach out to support@knowbe4.com for assistance.

Disabling Users and Transferring Responsibilities

If you're a KCM GRC account administrator, you can disable a user to deactivate their account. For example, if one of your compliance users (Contributors or Scope Administrator user roles) leaves your organization, you will need to deactivate the user's account after deciding which of your other KCM GRC users will take over their responsibilities for control tasks.

Note:

In order to transfer responsibilities to another user, the transferee should:

Have an equal or greater level of user permissions as the transferring user (see User Roles for details)
Both users should have the same Allowed Scopes (when both the transferring user and the transferee are Scope Administrators)

If the user that you are disabling is the User Assigned, Approving Manager, or Second-level Approving Manager for control tasks, the following will be reassigned to the new user:

All tasks that have not been satisfied, specifically:
- Tasks that have a task stage of Open and a task status of Active, Past Due, or Failed.
- Tasks that have a task stage of Awaiting Approval.
- All new tasks that will be created in the future for task schedules that the disabled user was assigned to.

If the user that you are disabling is the User Assigned, Approving Manager, or Second-level Approving Manager for control tasks, the following will not be reassigned to the new user:

All tasks that have been satisfied, specifically:
- Tasks that have a task status of Satisfied and a task stage of Approved.
- Tasks that have task status of Closed Late and a task stage of Approved.

Follow the steps below to disable a user and transfer their responsibilities.

Navigate to the User Management page by selecting Settings in the top-right area of your account, then click Manage Users, as shown below.
From the Manage Users page, find the user you need to disable, then click the disable user icon in the far-right column (shown below).
When prompted, use the drop-down menu to select a user to transfer responsibilities to.
Click the Transfer Now button to confirm the responsibility transfer and deactivation of the user account.

KCM GRC: Working with Users

Creating Accounts and Managing Users

User Role Use Cases

Responsibilities

User Role