User Permissions
Organization members
Organization members are granted view permissions on several objects by default. However, this does not mean they can access the settings pages directly. Instead, this information will be visible to them in other contexts. For instance, when assigning a user to a report, they can see all organization members available for assignment.
Resource | Member | Admin |
Organization profile | View | Edit |
Audit log | - | View |
Users | View | Edit |
Groups | View | Edit |
Authentication | - | Edit |
API Tokens | - | Edit |
Integrations | View | Edit |
Custom Inboxes | View | Edit |
Assets | View | Edit |
Organization analytics* | View | View |
Engagement settings ** | - | - |
Engagement dashboard ** | - | - |
Engagement policy page ** | - | - |
Engagement inbox (reports) ** | - | - |
Custom inbox (reports) ** | - | - |
* The content displayed on the organization’s analytics page varies based on a member's level of engagement access.
** These can be granted to the user by adding them to groups that have permissions to them.
Group Permissions
Groups allow you to set up your teams and grant the right team permissions to the various areas on the platform.
Organization Permissions
Resource | User Manager | Groups manager | Assets manager | Assets viewer |
Organization profile | - | - | - | - |
Audit log | - | - | - | - |
Users | Edit | Edit | - | - |
Groups | Edit | Edit | - | - |
Authentication | - | - | - | - |
API Tokens | Edit | Edit | - | - |
Organization integrations | - | - | - | - |
Inbox settings * | - | - | - | - |
Asset inventory Assets managers can also manage scope for all programs | - | - | Edit | View |
Organization analytics | - | - | - | - |
Engagement settings | - | - | - | - |
Engagement dashboard ** | - | - | - | - |
Engagement policy page ** | - | - | - | - |
Engagement inbox (reports) | - | - | - | - |
Custom inbox (reports) | - | - | - | - |
*Inbox settings refer to setting up additional custom inboxes and managing access in organization settings. Engagement inbox settings are managed under engagement settings.
** These can be granted to the user by adding them to groups that have permissions to them.
Engagement and Report Permissions
Engagement Settings
Resource | Read only | Program admin |
View engagement profile | ✅ | ✅ |
View engagement product edition | - | ✅ |
Credential management | - | ✅ |
Audit log | - | ✅ |
Billing overview | - | ✅ |
Billing credit card | - | ✅ |
Billing prepayment | - | ✅ |
Policy settings | - | ✅ |
Scope management | - | ✅ |
Submission form settings | - | ✅ |
Response targets & metrics | - | ✅ |
Email notifications | - | ✅ |
Inbox views | - | ✅ |
Custom fields settings | - | ✅ |
Hacker invitations | - | ✅ |
Hacker submission requirements | - | ✅ |
Embedded submission form | - | ✅ |
Bounty settings | - | ✅ |
Swag settings | - | ✅ |
Common responses | - | ✅ |
Triggers | - | ✅ |
Integrations | - | ✅ |
Webhooks | - | ✅ |
Hackbot | - | ✅ |
Export reports | ✅ | ✅ |
Proof of compliance | - | ✅ |
Report Permissions
Resource | Read only | Report | Reward |
View report details | ✅ | ✅ | ✅ |
Post internal comments | ✅ | ✅ | ✅ |
Post public comments | - | ✅ | - |
Change report state (assign, triage, close) | - | ✅ | - |
Request retests | - | ✅ | - |
Edit report titles and vulnerability types | - | ✅ | - |
Suggest bounty | - | ✅ | ✅ |
Award bounty | - | - | ✅ |
Add report participants | - | ✅ | - |
Request disclosure | - | ✅ | - |
Agree to disclosure request | - | ✅ | - |
Change custom field values on report | - | ✅ | - |