Skip to main content
Permissions

Organizations: How permissions are setup on the HackerOne platform

Updated over 3 months ago

User Permissions

Organization members

Organization members are granted view permissions on several objects by default. However, this does not mean they can access the settings pages directly. Instead, this information will be visible to them in other contexts. For instance, when assigning a user to a report, they can see all organization members available for assignment.

Resource

Member

Admin

Organization profile

View

Edit

Audit log

-

View

Users

View

Edit

Groups

View

Edit

Authentication

-

Edit

API Tokens

-

Edit

Integrations

View

Edit

Custom Inboxes

View

Edit

Assets

View

Edit

Organization analytics*

View

View

Engagement settings **

-

-

Engagement dashboard **

-

-

Engagement policy page **

-

-

Engagement inbox (reports) **

-

-

Custom inbox (reports) **

-

-

* The content displayed on the organization’s analytics page varies based on a member's level of engagement access.

** These can be granted to the user by adding them to groups that have permissions to them.

Group Permissions

Groups allow you to set up your teams and grant the right team permissions to the various areas on the platform.

Organization Permissions

Resource

User Manager

Groups manager

Assets manager

Assets viewer

Organization profile

-

-

-

-

Audit log

-

-

-

-

Users

Edit

Edit

-

-

Groups

Edit

Edit

-

-

Authentication

-

-

-

-

API Tokens

Edit

Edit

-

-

Organization integrations

-

-

-

-

Inbox settings *

-

-

-

-

Asset inventory

Assets managers can also manage scope for all programs

-

-

Edit

View

Organization analytics

-

-

-

-

Engagement settings

-

-

-

-

Engagement dashboard **

-

-

-

-

Engagement policy page **

-

-

-

-

Engagement inbox (reports)

-

-

-

-

Custom inbox (reports)

-

-

-

-

*Inbox settings refer to setting up additional custom inboxes and managing access in organization settings. Engagement inbox settings are managed under engagement settings.

** These can be granted to the user by adding them to groups that have permissions to them.

Engagement and Report Permissions

Engagement Settings

Resource

Read only

Program admin

View engagement profile

View engagement product edition

-

Credential management

-

Audit log

-

Billing overview

-

Billing credit card

-

Billing prepayment

-

Policy settings

-

Scope management
(Grants access to Asset inventory)

-

Submission form settings

-

Response targets & metrics

-

Email notifications

-

Inbox views

-

Custom fields settings

-

Hacker invitations

-

Hacker submission requirements

-

Embedded submission form

-

Bounty settings

-

Swag settings

-

Common responses

-

Triggers

-

Integrations

-

Webhooks

-

Hackbot

-

Export reports
*Only reports you have access to through organization or custom inboxes

Proof of compliance

-

Report Permissions

Resource

Read only

Report

Reward

View report details

Post internal comments

Post public comments

-

-

Change report state (assign, triage, close)

-

-

Request retests

-

-

Edit report titles and vulnerability types

-

-

Suggest bounty

-

Award bounty

-

-

Add report participants

-

-

Request disclosure

-

-

Agree to disclosure request

-

-

Change custom field values on report

-

-

Did this answer your question?