Skip to main content

Role Management

The RiskFlow platform uses a role-based access control (RBAC) model to manage user permissions. Roles are scoped at either the MSP or Organization level, and each role comes with specific capabilities.

How Role Management Works

  • Roles are assigned per team context (MSP or Organization).
  • Each user may belong to one or more teams and hold different roles in each.
  • Permissions are stored as bitfields and can be used to conditionally render UI or enforce backend access.

MSP Roles

MSP Super Admin

  • Has full control over the MSP.
  • Can invite, manage, and remove users.
  • Can invite new organizations under the MSP.
  • Can manage billing (when implemented).
  • Can see and manage logs and configuration.

MSP User

  • Can view and manage specific assigned organizations.
  • Limited access to MSP-level settings.
  • Cannot invite new MSP members or manage other users unless given elevated rights.

MSP Auditor

  • Read-only access to the MSP dashboard.
  • Can view assigned organizations and their compliance reports.
  • Cannot modify settings or invite users.

Organization Roles

1. Org Admin

  • Full control over the organization.
  • Can manage:
    • Users
    • Projects (SRA, PnP, BAA)
    • Vendors
    • Settings

2. Org Auditor

  • Read-only access to all organization data.
  • Cannot create or modify anything.
  • Useful for compliance and oversight roles.

3. Employee

  • Can view and sign documents assigned to them.
  • Cannot manage teams, vendors, or settings.

4. Vendor

  • Not a registered user; invited by Org Admin.
  • Authenticated via magic link only.
  • Has access to a dedicated vendor dashboard.
  • Can:
    • View and sign assigned BAAs.
    • Download signed documents.
  • Cannot:
    • Edit or upload any documents.
    • Be part of multiple teams — but can be affiliated with multiple organizations.

5. Security Analyst

  • Access only to Security Risk Assessment (SRA) module.
  • Cannot manage teams or vendors.

6. Compliance Analyst

  • Can manage:
    • Policies & Procedures (PnP)
    • Business Associate Agreements (BAA)
  • Can be granted scoped access (e.g., manage BAAs but not PnP).
  • Cannot access the SRA module unless explicitly assigned.

Role Assignment Rules

  • The first user of any team (Org or MSP) becomes the admin/super admin by default.
  • Users cannot self-register into an MSP-managed organization — they must be invited.
  • Vendor users:
    • Are created only through admin invitation.
    • Cannot log in directly or reuse credentials.
  • Each team manages its own users and roles, except for the first user, who must be approved by a higher authority (Owner or MSP Admin).

Role Comparison Table

RoleScopeCan Manage UsersCan Edit Content
MSP Super AdminMSPYesYes
MSP UserMSPSomeSome
MSP AuditorMSPNoNo
Org AdminOrganizationYesYes
Org AuditorOrganizationNoNo
EmployeeOrganizationNoLimited (signing)
VendorExternal (Affiliated)NoLimited (signing)
Security AnalystOrganizationNoSRA Only
Compliance AnalystOrganizationNoBAA / PnP Only