Managing Roles, Groups, and Permissions
How to control who can do what in your Herd workspace using roles, groups, and permissions.
Understanding Roles
Every user in Herd has one of three roles. Your role determines your overall level of access.
Admin
Organization owners and security leaders
Full access to everything. Bypasses all permission checks. Can manage users, groups, billing, and integrations.
Operator
Team leads, department heads, training coordinators
Web app access with permissions controlled by group membership. Can only do what their group permissions allow.
Member
Everyone else in your organization
No web app access. Interacts with Herd only through Slack or Teams — completing trainings, responding to simulations, etc.
The first user to log in to a new Herd workspace automatically becomes an Admin. All subsequent users start as Operators and are added to your default group.
Understanding Groups
Groups are how you organize Operators and assign them permissions. Think of groups like teams — each group has a set of permissions, and every Operator in that group inherits those permissions.
Each group has a name, description, and a set of permissions
An Operator can belong to multiple groups — their permissions are the combined set from all groups
New Operators are automatically added to your organization's default group
Groups can pull members from Okta, Azure AD, Google Workspace, or Slack to mirror your existing team structure
When your workspace is first created, a Full Access default group is set up automatically — meaning every new Operator has full access to everything. We strongly recommend configuring restrictive groups early.
Setting Up Groups
1. Plan Your Access Structure
Before creating groups, decide who needs access to what.
Keep the default Full Access group. All Operators can do everything. Admins handle user management and settings.
Security Team — Full phishing, smishing, training, and reporting access
Security Manager
HR / Training Team — Training creation and assignment only
Training Manager
Compliance Team — Compliance campaigns and policies
Compliance Manager
Leadership — Read-only dashboards and reports
Viewer
Create a custom group for each role with only the specific permissions they need. Start with the closest template and remove permissions you don't want to grant.
2. Create a Group
Open Group Settings
Go to Settings in the left sidebar, then click Groups.
Create the Group
Click Create Group, then give it a name and description.
Choose a Template
Select a permission template as a starting point, or build from scratch.
Adjust Permissions
Add or remove individual permissions as needed for this group.
Add Members
Add individual users or connect synced identity provider groups.
3. Update Your Default Group
If you don't want new users to automatically have full access:
Go to Settings > Groups
Edit the default group's permissions (e.g., change it to Viewer-only)
Or create a new limited-permission group and set it as the default
Permission Reference
Admins always have all permissions. The tables below apply to Operators.
View trainings
See all trainings in your organization
Create trainings
Build new trainings (manual or AI-generated)
Edit trainings
Modify existing trainings
Delete trainings
Remove trainings permanently
Assign trainings
Send trainings to employees via Slack or Teams
Approve trainings
Review and approve pending trainings before they go live
View tracks
See all learning tracks
Create tracks
Build new multi-training tracks
Edit tracks
Modify existing tracks
Delete tracks
Remove tracks
Assign tracks
Assign tracks to employees
View phishing
See phishing campaigns and results
Manage templates
Create, edit, and delete phishing email templates
Approve templates
Review and approve phishing templates
Manage campaigns
Create, launch, pause, and delete phishing campaigns
View smishing
See SMS simulation campaigns and results
Manage templates
Create, edit, and delete SMS templates
Approve templates
Review and approve SMS templates
Manage campaigns
Create, launch, pause, and delete SMS campaigns
View compliance
See compliance campaigns and status
Manage compliance
Create, edit, and run compliance campaigns
View policies
See all policies
Manage policies
Create, edit, delete, and publish policies
View dashboard
Access the reporting dashboard with charts and summaries
View risk scores
See individual employee risk scores
View users
See the user list and profiles
Manage users
Add, edit, and deactivate users
View groups
See group configurations
Manage groups
Create, edit, and delete groups and their permissions
Organization settings
Modify organization-level settings (name, branding, SMS)
Integrations
Configure Slack, Teams, Okta, Azure AD, and other integrations
Permissions settings
Configure organization-wide permission defaults
Permission Templates
Templates are pre-built permission sets that make group setup faster. Use them as a starting point — you can add or remove individual permissions after applying one.
Training Manager
HR teams, L&D coordinators
View, create, edit, delete, and assign trainings
Training Reviewer
Managers who approve content
View and approve trainings
Security Manager
Security team leads
Full training, phishing, smishing, tracks, and reporting access
Compliance Manager
Compliance officers, GRC teams
Compliance campaigns, policies, and dashboard access
Viewer
Leadership, auditors
Read-only access to all content, dashboards, users, and groups
Full Access
Small teams, power users
All permissions — equivalent to Admin, but still governed by group membership
Ownership Scoping
When Operators create trainings, campaigns, or other content, that content is owned by their group.
Operators can only edit and delete content owned by groups they belong to
Operators can view content from other groups if they have the relevant view permission
Admins can see and manage all content regardless of ownership
This prevents department heads from accidentally modifying each other's work while still allowing visibility across the organization.
Common Questions
Can an Operator give themselves more permissions?
No. Only users with the Manage Groups permission can change group permissions, and they can only modify groups — not grant themselves Admin access. Only an Admin can promote someone to Admin.
What happens when I remove someone from a group?
They immediately lose that group's permissions. If they belong to other groups, they keep those permissions. If removed from all groups, they have no permissions and will see an empty dashboard.
Can I sync groups with my identity provider?
Yes. Groups can pull members from Okta, Azure AD, Google Workspace, and Slack. When someone is added or removed in your IdP, their Herd permissions update automatically.
What's the difference between an Admin and an Operator with Full Access?
Functionally very similar, but Admins can: promote or demote other Admins, manage billing, impersonate users for troubleshooting, and their access can never be restricted by group changes. An Operator with Full Access can lose permissions if their group is modified.
How do I restrict the default group?
Go to Settings > Groups, edit the default group, and change its permissions to something more restrictive (e.g., Viewer). All future new users will receive these limited permissions instead of full access.
I accidentally locked myself out. What do I do?
Ask another Admin in your organization to restore your group membership. If no other Admins are available, contact Herd support.
Best Practices
Set up groups early — Don't leave the default Full Access group unchanged. Configure proper groups before inviting your team.
Use least privilege — Start with the minimum permissions needed and add more as required.
Mirror your org structure — Use IdP group sync so permissions stay up to date automatically.
Review permissions quarterly — As roles change, make sure group memberships still reflect current responsibilities.
Keep at least two Admins — So you're never locked out if one Admin leaves the organization.
Use templates as starting points — They cover the most common use cases and save setup time.
Last updated