Manage users and permissions in SecurityScorecard

If you are a SecurityScorecard administrator, use this guidance to manage users, roles, access, and permissions in the platform.

Know if you are an administrator

If you are not sure whether you are an administrator:

1. Click the avatar for your user profile in the upper-right corner of the platform, and then select My Settings.
   
   
   
   
2. In the Settings panel, look for an Admin Settings section. If you see it, you are an administrator.
   
   

Work with people management

Understanding and managing roles is key to managing users. Access levels define what users can do.

Each user has one platform-generated base role. Additionally, you can assign platform-generated add-on roles and customize your own. 

Understand base roles

The base roles in this table provide specific subsets of access to the platform, except for restricted user, which you can customize new roles for using certain platform features or actions.

Create a custom role

1. Click the People Management tab under Admin Settings. 
2. In the Roles tab, click Create New Role.
   
   
   
   
3. Name the role and select permissions for this role. Then, click Save.
   
   
   
   

The new role appears in the Roles table.

Create and manage users 

When you create a user for your organization's SecurityScorecard account, you assign them a role, which defines what they can do in the platform. Each user has one base role. 

Invite new users

1. Select People under People Management.
2. Click Invite People in the People panel.
   
   
   
3. Enter a name and email address, and use the drop-down list to assign access levels.

4. If you assign a restricted user, select permissions in roles to customize it with.

5. Click Done.

As an administrator, you also can change a role and permissions for a current user:

1. Click the People tab under People Management. 
2. On the displayed list, under the Access Level column click the Drop down and Edit when it appears.

3. Change the contact information, or select a new role in the displayed form. Then, click Save Changes.

Assigning custom role to a user
In order to assign a custom role:

1. Base Role needs to be selected as “Restricted User”.
2. Once this is done an option for “Add On Roles” will be shown.
3. Select the Custom Role (Read in the below case case) from under “Add On Roles”:
    
   

Create or manage teams

1. Click the People Management tab under Admin Settings. 
2. In the Teams tab, click New Team.

3. Name the team and select permissions for this team. Then, click Save.

Grant requested access manually

1. Click the People Management tab under Admin Settings.
2. For any listed requester, and click Approve to grant permission. Otherwise, click Decline.
   
   

Requesters who are granted permission receive an email invitation to set up an account. Declined requesters do not receive any notification.

Grant permission automatically

Use automatic settings for granting permission based on specific conditions so that:

• You can save time by limiting how often you have to grant permissions manually.
• Requesters whom you are likely to accept do not have to wait for permission to access the platform. For example, if you have sent a questionnaire to a potential vendor who does not have a SecurityScorecard account, you can expedite the vetting process by giving them immediate access, so that they respond to the questionnaire.

To set automatic permissions:

• Click the People Management tab under Admin Settings. 
• Click Automate Approvals on the Access Requests page.
  
  
  
  

Select a condition for automatically granting permission from the displayed list. Then, click Close.

Roles-Based Access for Questionnaires 

Administrators can add customizable permissions for their teams to effectively manage their internal workflows and personnel. Rosed-based access for questionnaires adds more control into user permissions and strengthens security posture. Administrators can restrict access to Read-only users or grant full permissions to Users to answer and share questionnaires.

• As a Read-Only user, how do I get permissions to send questionnaires? Reach out to your SecurityScorecard administrator at your organization to adjust your permissions accordingly.
• Can a Read-Only user answer a questionnaire? No, in order to answer a questionnaire you must be a User with full permissions.
• I’m unsure of who the SecurityScorecard administrator is at my organization. Who should I contact? For support please submit a request here.

How guest access works with Atlas questionnaires

If an Atlas user sends a questionnaire to an email address that is not associated with a SecurityScorecard user account, but the recipient's domain has a SecurityScorecard subscription and administrator, that recipient can automatically gain a Guest role.

Note: If the Atlas user generates a questionnaire using the Create Link option, instead of emailing the recipient directly from Atlas, the recipient will need to create a SecurityScorecard account and have their own SecurityScorecard administrator grant them access.

Also, if, when testing this workflow, you as the Sender attempt to send to an aliased email address, this workflow will not apply, you will need to send to an actual user different from yourself.

Note: Questionnaire recipients automatically receive guest access even if they do not have email addresses attributed to your organization.