How Access Control Works
The two layers are independent and complementary. A user can have any number of roles and any number of groups. Roles shape their dashboard; groups grant access to modules.
| Layer | What it controls | Where configured |
|---|---|---|
| Platform Role | Which modules appear on the user's dashboard (Executive View). Used for identifying a user's job function — e.g. CISO, Internal Auditor. | Users → Roles |
| Access Group | Module-level permissions: view, add, edit, delete, export. Each module (Risk, Incidents, Compliance, Assets, etc.) evaluates group membership. | Users → Groups |
is_superuser = True has full access to every module and every
user-management function regardless of assigned roles or groups.
Reserve superuser status for platform administrators only.
Platform Roles
Platform Roles are fully custom — there are no built-in role names. You create roles that reflect your organisation's structure. Each role can optionally be restricted to specific companies (multi-tenant installations).
Role Properties
| Field | Description |
|---|---|
| Name | Display name shown on user badges (e.g. CISO, SOC Analyst) |
| Slug | Auto-generated URL-safe identifier; must be unique |
| Description | Internal description of the role's purpose |
| Color | Badge colour displayed next to the user's name |
| Order | Sort order in lists and role selectors |
| Companies | If set, the role applies only to those companies; leave blank for a global role |
| Access Groups | Django groups automatically available to users with this role (see Groups section below) |
| Allowed modules | Which dashboard panels appear in the Executive View for this role (e.g. incidents, risk) |
| Active | Inactive roles are hidden from selectors and do not apply to users |
Creating a Role
- Navigate to Users → Roles.
- Click Create Role.
- Enter the role name and optional description.
- Choose a colour badge.
- Optionally restrict to specific companies (leave blank for all companies).
- Select the Access Groups that users with this role should belong to.
- Select which dashboard modules are visible for this role in the Executive View.
- Save.
Executive View Dashboard Config
After creating a role, click Dashboard Config to configure which widget sections (e.g. Security Index, Incident Statistics, Risk Summary) appear for users assigned to this role. Each section can be individually enabled or disabled, and the order of widgets within a section can be rearranged.
Access Groups
An Access Group is a named collection of module permissions. The same group can grant permissions across multiple modules simultaneously. A single user can belong to multiple groups — permissions are additive (union of all groups).
Group Properties
| Field | Description |
|---|---|
| Name | Display name (e.g. Risk Managers, Read-Only Auditors) |
| Description | Internal note on the group's purpose |
| Color | Badge colour displayed in the user list |
| Company | If set, the group's scope is limited to that company |
Module-Level Permissions
Each module exposes its own permission set, linked to the group. All permissions default
to False; you grant them explicitly. Permissions are scoped to companies —
a group can have edit access to Risk for Company A but only view access
for Company B.
| Module | Representative Permissions |
|---|---|
| User Management | View / Add / Edit / Delete users · View / Add / Edit / Delete roles · View / Add / Edit / Delete groups · Org structure · Site statistics |
| Risk | View / Edit risk assessments · Configure assessment · View / Add / Edit / Delete reports · Configure risk settings |
| Incidents | View / Add / Edit / Delete incidents · Send email notifications · Show module link in nav |
| Compliance (Framework) | View / Edit / Add / Delete frameworks and controls · Edit instance controls · Manage evidence · Approve evidence · View reports / Export |
| Compliance (Local) | Similar set for local (regulatory) compliance |
| Compliance (Internal) | Similar set for internal compliance policies |
| Assets | View / Edit assets · Manage administrator and owner assets · Edit asset types · Software register · External media register |
| IS Access (ISAM) | View / Edit access matrix · Manage access records · Configure information systems · Manage access requests · Notification settings · API access |
| Documents | View / Edit documents · View / Edit legislative docs · View / Edit mandatory docs |
| Keys & Certs | View / Edit · Show nav link |
| Phishing (GoPhish) | View campaigns / templates / landing pages / sending profiles / groups · Manage servers · Sync |
| FIM (File Integrity) | View / Add / Edit / Delete / Configure file integrity monitoring |
| Training & Quizzes | View / Edit quizzes · Access quiz results · View / Edit training pages |
| Standards (PCI DSS, ISO 27002) | View / Edit · Show nav link |
Creating a Group
- Navigate to Users → Groups.
- Click Create Group.
- Enter the group name, description, and colour.
- Optionally restrict to a specific company.
- Save — the group is created with all permissions set to
False. - Re-open the group and configure permissions for each module on the group's detail page.
Assigning Roles and Groups to Users
Roles and groups are assigned when creating or editing a user. They can also be changed at any time through the user's profile.
- Navigate to Users → Users.
- Click on a user to open their profile, then click Edit.
- In the Platform Roles field, select one or more roles.
- In the Access Groups field, select one or more groups.
- Save. Changes take effect immediately on the user's next page request.
Who Can Manage Users and Groups
Access to the Users section is itself controlled by group permissions — specifically, the User Management permission set. This allows you to delegate user administration without granting superuser status.
| Permission | What it enables |
|---|---|
| View Users | See the Users list and user profiles |
| Add Users | Create new user accounts |
| Edit Users | Modify user data, assign roles and groups |
| Delete Users | Remove user accounts |
| Export Users | Export user list to Excel |
| View Roles | See the Roles list |
| Add / Edit / Delete Roles | Manage Platform Roles |
| View Groups | See the Groups list |
| Add / Edit / Delete Groups | Manage Access Groups and their permissions |
| View Org Structure | See companies, departments, and positions |
| Manage Org Structure | Add / Edit / Delete companies, departments, positions |
| View Org Chart | See the visual organisation chart |
| View Site Statistics | See platform usage statistics |
| Export Statistics | Export statistics reports |
| Detailed Statistics | View per-user and per-action detailed analytics |
Active Directory Integration
In multi-company installations, each company can have an AD connection configured. When a user authenticates via AD:
- A SecBoard account is automatically created or updated with their AD attributes (name, email, phone, department).
- If Sync AD Groups is enabled on the AD connection, the user's AD group membership is automatically mirrored to SecBoard Access Groups on every login.
- AD-managed accounts are marked with
is_ad_synced = Trueand their attributes are refreshed from the directory on each login.
AD connections are configured per company in the Django admin panel under App Cabinet → Cabinet AD connections.
Recommended Setup Pattern
| # | Step |
|---|---|
| 1 | Identify the job functions in your team (e.g. CISO, Risk Manager, Read-Only Auditor) |
| 2 | Create one Platform Role per job function with an appropriate colour and dashboard widget set |
| 3 | Design your group structure: one group per access tier (e.g. Full Access, Read-Only, Risk Only) |
| 4 | Configure module permissions on each group |
| 5 | Link each Platform Role to the groups users with that role should receive |
| 6 | Create users and assign their roles — groups follow automatically from the role definition |
| 7 | Verify access by logging in as a test user before inviting the full team |
Information System Access Management (ISAM)
In addition to SecBoard platform access, the IS Access Management module tracks and governs user access to your organisation's external information systems (e.g. ERP, CRM, banking systems). This is a separate layer from SecBoard's own permissions.
Key concepts:
- Access Matrix — visual matrix of roles × functions × access rights per information system.
- Access Records — actual records of which user/group holds which role and access right in which IS object, environment (production / test / dev), and date range.
- Access Requests — end-users can self-service request or revoke IS access. Requests go through a configurable multi-level approval chain.
- Approvers — ordered approvers are defined per IS. Level N can only act after level N-1 approves; one rejection cancels all pending approvals.
ISAM is configured at IS Access → Access Config IS and managed at IS Access → Access Records. End-users submit requests from their personal profile via My Access → Request Access.
Next Steps
Organisational Structure
Set up companies, departments, and positions to organise your user directory.
Risk Management Setup
Configure the Risk module — assessment methodology, criteria, and report templates.