Groups are used to grant (and limit) access and permissions to users.
Users who are not added to any groups can onboard into the organization but will not have access to any areas for that organization until granted access and permissions through a group.
In order to see all groups for your organization, go to Organization Settings > Groups.
On this page you will have an overview of groups that have been created in your organization, what permissions and what access it grants to users in those groups.
Groups can grant permissions to perform certain actions within the platform. These permissions, however, are limited to only areas the user has access to through the group.
Permissions that can be granted by a group:
- Read only access
- Post internal comments
- Edit profile, program, and bounty settings
- Invite hackers
- View billing information
- Edit inbox views
- Post comments
- Change report states
- Edit report titles and vulnerability types
- Suggest bounties
- Add/remove external participants from reports
- Edit common responses
- Edit triggers
- Request public disclosure
- Agree to public disclosure request
- Create CVE ID Requests
- Transfer reports
- Grant rewards
- Post comments
- Suggest bounties
Every group by default has Read Only permissions as the most basic permission for the platform. Users who do not belong to any groups do not have any permissions, including Read Only permission.
In addition to permissions, groups also grant access to specific areas within the platform. Access to these areas are defined by access to:
- Program settings
- Program dashboard
- Program inbox and reports
- Program inbox access (by default provided when granting access to the program)
- Custom inbox access
Users who have been added to groups that grant permissions but no access will not be able to perform permission actions on the platform.
Users get access and permissions based on all groups they belong to.
For example, one group could provide a set of permissions and another group could provide access. As a result they will be able to perform actions in specific areas of the platform based on a combination of permissions and access from these groups.
To add a new group:
- Navigate to Organization Settings > Groups
- Click on Add new group
- On the new page, add your new group name
- Add the users you want to be part of this group
- Define the permissions for this group (as mentioned above)
- Define the access this group will grant the users
- Click on Save group
Once a group has been created, you can add additional users to it by editing users or groups.
A group can be edited from the Groups overview page.
- Select the edit icon on the group you want to update
- On the group profile page you can:
- Edit the users in the group by adding new users or removing users by clicking on the Remove icon.
- Edit group permissions by deselecting current permissions or selecting additional permissions
- Edit group access by adding or removing program access for this group in the input field
- Groups will be saved automatically
Editing a group’s permissions and access will result in changes to a user’s permissions and access. You will be able to see what every user has permissions and access to by going into their specific user profiles.
A group can be removed in two ways:
- By clicking on the remove icon for the group you want to remove
- By removing a groups from the group profile page (editing a group)
- Both of these options will display a modal to explain how removing groups might impact your users’ access and permission. To remove the group, click on Remove group
Tip: Create groups to represent your organization structure (product teams, business units, or departments) and manage access and permissions depending on their roles and responsibilities within your organization.
Organizations are not limited to a specific number of groups. Only organization administrators can add, manage, and remove groups in the organization.