High-level overview of user roles in RiskSense.
The RiskSense platform uses a role-based system, meaning users are assigned to specific roles that control access to the RiskSense platform and the operations they can perform, from uploading vulnerability and asset information to remediating vulnerabilities. In addition to roles, RiskSense’s groups provide a way to organize host and application data stored within the platform, so that data is assigned to groups and only users who are members of those same groups may access the data.
The following provides a summary of permissions granted to different user roles (from lowest to highest permission):
This is the lowest permission level within RiskSense. Technicians must be explicitly assigned a vulnerability to work on its remediation. Even though this user can be assigned to a group, they only see items specifically assigned to them. This role is designed for third-party resources or individuals within the organization that have a limited role in the visibility and remediation of the organization’s vulnerabilities.
- Update anything on their account information page.
- Remediate (but not review) vulnerabilities explicitly assigned to them.
Most internal staff members involved in the remediation process are assigned this role. This role can view all vulnerabilities within their assigned groups and can see all menus. Inside the Admin menu, they can only access their own account information page; they have no account management permissions to assign permissions for other users.
- See all resources and vulnerabilities for the data groups they are assigned.
- Self-assign vulnerabilities, create tags, and create filters.
Group managers are the next step up from the User role. They have the same permissions as a user, but they are granted some basic administration tasks. This role is still confined to the groups that they are assigned. The group manager assigns tasks and delegates vulnerability remediation to users and technicians within the groups they manage. Once these items have been remediated, it is the Group Manager’s responsibility to review and approve of the work that was done.
Group managers can:
- Do everything a user can do.
- Manage users within the groups they are assigned.
- Assign actions to other users and review the work that was done.
Group managers cannot promote other users to the group manager role.
Managers are the highest authority client role within RiskSense. They have all the abilities of a group manager, but they are not limited to any specific group. They can set all client-specific settings within their RiskSense client.
- Do everything users and group managers can do.
- See all groups within this client and assign groups to any user accounts within this client.
- Create and demote other group manager accounts.