Skip to main content

User and Vendor Management

RiskFlow separates internal users (team members) and external users (vendors). Each team manages its own users, and access levels are defined via roles.

Internal User Management

MSP Users

  • Managed by: MSP Super Admin
  • Flow:
    1. Invite users by email from the MSP Team Page
    2. Assign roles during or after invitation
    3. Manage and remove access at any time

Organization Users

  • Managed by: Org Admin
  • Flow:
    1. Invite users by email from the Org Team Page
    2. Assign roles like Employee, Security Analyst, etc.
    3. Users can only belong to one organization

All internal users must log in via email/password (or future SSO).

Vendor Management

What is a Vendor?

A vendor is an external, non-member user who signs Business Associate Agreements (BAAs) with organizations.

Key Rules

  • Vendors cannot self-register
  • Vendors do not have passwords
  • Vendors access the platform via magic link only

Vendor Invitation Flow

  1. Org Admin opens the BAA module
  2. Clicks Invite Vendor
  3. Enters vendor's name and email
  4. Vendor receives a secure magic link
  5. Vendor selects the organization, signs assigned agreements

📌 Vendors can be affiliated with multiple organizations, but have no team access or role.

Authentication Modes

User TypeAuth MethodRole-Based?Can Be Invited
MSP/OrgEmail/password
VendorMagic link only✅ (Only by Admins)

Common Issues

  • Vendor can’t log in: Expired or used magic link → Resend invite
  • User didn’t receive invite: Check spam or resend
  • User assigned wrong role: Admin can update from team page

📎 Related Pages