# Managing Roles, Groups, and Permissions
***
### Understanding Roles
Every user in Herd has one of three roles. Your role determines your overall level of access.
| Role | Who It's For | Access Level |
| ------------ | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
| **Admin** | Organization owners and security leaders | Full access to everything. Bypasses all permission checks. Can manage users, groups, billing, and integrations. |
| **Operator** | Team leads, department heads, training coordinators | Web app access with permissions controlled by group membership. Can only do what their group permissions allow. |
| **Member** | Everyone else in your organization | No web app access. Interacts with Herd only through Slack or Teams — completing trainings, responding to simulations, etc. |
{% hint style="info" %}
The first user to log in to a new Herd workspace automatically becomes an **Admin**. All subsequent users start as **Operators** and are added to your default group.
{% endhint %}
***
### Understanding Groups
Groups are how you organize Operators and assign them permissions. Think of groups like teams — each group has a set of permissions, and every Operator in that group inherits those permissions.
* Each group has a **name**, **description**, and a **set of permissions**
* An Operator can belong to **multiple groups** — their permissions are the combined set from all groups
* New Operators are automatically added to your organization's **default group**
* Groups can pull members from **Okta**, **Azure AD**, **Google Workspace**, or **Slack** to mirror your existing team structure
{% hint style="warning" %}
When your workspace is first created, a **Full Access** default group is set up automatically — meaning every new Operator has full access to everything. We strongly recommend configuring restrictive groups early.
{% endhint %}
***
### Setting Up Groups
#### 1. Plan Your Access Structure
Before creating groups, decide who needs access to what.
{% tabs %}
{% tab title="Small Team" %}
Keep the default **Full Access** group. All Operators can do everything. Admins handle user management and settings.
{% endtab %}
{% tab title="Department-Based" %}
| Group | Recommended Template |
| --------------------------------------------------------------------------- | -------------------- |
| **Security Team** — Full phishing, smishing, training, and reporting access | Security Manager |
| **HR / Training Team** — Training creation and assignment only | Training Manager |
| **Compliance Team** — Compliance campaigns and policies | Compliance Manager |
| **Leadership** — Read-only dashboards and reports | Viewer |
| {% endtab %} | |
{% tab title="Least-Privilege" %}
Create a custom group for each role with only the specific permissions they need. Start with the closest template and remove permissions you don't want to grant.
{% endtab %}
{% endtabs %}
#### 2. Create a Group
{% stepper %}
{% step %}
**Open Group Settings**
Go to **Settings** in the left sidebar, then click **Groups**.
{% endstep %}
{% step %}
**Create the Group**
Click **Create Group**, then give it a name and description.
{% endstep %}
{% step %}
**Choose a Template**
Select a **permission template** as a starting point, or build from scratch.
{% endstep %}
{% step %}
**Adjust Permissions**
Add or remove individual permissions as needed for this group.
{% endstep %}
{% step %}
**Add Members**
Add individual users or connect synced identity provider groups.
{% endstep %}
{% endstepper %}
#### 3. Update Your Default Group
If you don't want new users to automatically have full access:
1. Go to **Settings > Groups**
2. Edit the default group's permissions (e.g., change it to Viewer-only)
3. Or create a new limited-permission group and set it as the default
***
### Permission Reference
Admins always have all permissions. The tables below apply to **Operators**.
{% tabs %}
{% tab title="Training" %}
| Permission | What It Allows |
| ----------------- | -------------------------------------------------------- |
| View trainings | See all trainings in your organization |
| Create trainings | Build new trainings (manual or AI-generated) |
| Edit trainings | Modify existing trainings |
| Delete trainings | Remove trainings permanently |
| Assign trainings | Send trainings to employees via Slack or Teams |
| Approve trainings | Review and approve pending trainings before they go live |
| {% endtab %} | |
{% tab title="Tracks" %}
| Permission | What It Allows |
| ------------- | ------------------------------- |
| View tracks | See all learning tracks |
| Create tracks | Build new multi-training tracks |
| Edit tracks | Modify existing tracks |
| Delete tracks | Remove tracks |
| Assign tracks | Assign tracks to employees |
| {% endtab %} | |
{% tab title="Phishing" %}
| Permission | What It Allows |
| ----------------- | ---------------------------------------------------- |
| View phishing | See phishing campaigns and results |
| Manage templates | Create, edit, and delete phishing email templates |
| Approve templates | Review and approve phishing templates |
| Manage campaigns | Create, launch, pause, and delete phishing campaigns |
| {% endtab %} | |
{% tab title="Smishing" %}
| Permission | What It Allows |
| ----------------- | ----------------------------------------------- |
| View smishing | See SMS simulation campaigns and results |
| Manage templates | Create, edit, and delete SMS templates |
| Approve templates | Review and approve SMS templates |
| Manage campaigns | Create, launch, pause, and delete SMS campaigns |
| {% endtab %} | |
{% tab title="Compliance & Policy" %}
| Permission | What It Allows |
| ----------------- | ------------------------------------------ |
| View compliance | See compliance campaigns and status |
| Manage compliance | Create, edit, and run compliance campaigns |
| View policies | See all policies |
| Manage policies | Create, edit, delete, and publish policies |
| {% endtab %} | |
{% tab title="Reporting" %}
| Permission | What It Allows |
| ---------------- | -------------------------------------------------------- |
| View dashboard | Access the reporting dashboard with charts and summaries |
| View risk scores | See individual employee risk scores |
| {% endtab %} | |
{% tab title="Users & Groups" %}
| Permission | What It Allows |
| ------------- | ----------------------------------------------------- |
| View users | See the user list and profiles |
| Manage users | Add, edit, and deactivate users |
| View groups | See group configurations |
| Manage groups | Create, edit, and delete groups and their permissions |
| {% endtab %} | |
{% tab title="Organization" %}
| Permission | What It Allows |
| --------------------- | -------------------------------------------------------------- |
| Organization settings | Modify organization-level settings (name, branding, SMS) |
| Integrations | Configure Slack, Teams, Okta, Azure AD, and other integrations |
| Permissions settings | Configure organization-wide permission defaults |
| {% endtab %} | |
| {% endtabs %} | |
***
### Permission Templates
Templates are pre-built permission sets that make group setup faster. Use them as a starting point — you can add or remove individual permissions after applying one.
| Template | Best For | Includes |
| ---------------------- | ------------------------------ | ----------------------------------------------------------------------------- |
| **Training Manager** | HR teams, L\&D coordinators | View, create, edit, delete, and assign trainings |
| **Training Reviewer** | Managers who approve content | View and approve trainings |
| **Security Manager** | Security team leads | Full training, phishing, smishing, tracks, and reporting access |
| **Compliance Manager** | Compliance officers, GRC teams | Compliance campaigns, policies, and dashboard access |
| **Viewer** | Leadership, auditors | Read-only access to all content, dashboards, users, and groups |
| **Full Access** | Small teams, power users | All permissions — equivalent to Admin, but still governed by group membership |
***
### Ownership Scoping
When Operators create trainings, campaigns, or other content, that content is owned by their group.
* Operators can only **edit and delete** content owned by groups they belong to
* Operators can **view** content from other groups if they have the relevant view permission
* **Admins** can see and manage all content regardless of ownership
This prevents department heads from accidentally modifying each other's work while still allowing visibility across the organization.
***
### Common Questions
Can an Operator give themselves more permissions?
No. Only users with the **Manage Groups** permission can change group permissions, and they can only modify groups — not grant themselves Admin access. Only an Admin can promote someone to Admin.
What happens when I remove someone from a group?
They immediately lose that group's permissions. If they belong to other groups, they keep those permissions. If removed from all groups, they have no permissions and will see an empty dashboard.
Can I sync groups with my identity provider?
Yes. Groups can pull members from **Okta**, **Azure AD**, **Google Workspace**, and **Slack**. When someone is added or removed in your IdP, their Herd permissions update automatically.
What's the difference between an Admin and an Operator with Full Access?
Functionally very similar, but Admins can: promote or demote other Admins, manage billing, impersonate users for troubleshooting, and their access can never be restricted by group changes. An Operator with Full Access can lose permissions if their group is modified.
How do I restrict the default group?
Go to **Settings > Groups**, edit the default group, and change its permissions to something more restrictive (e.g., Viewer). All future new users will receive these limited permissions instead of full access.
I accidentally locked myself out. What do I do?
Ask another Admin in your organization to restore your group membership. If no other Admins are available, contact Herd support.
***
### Best Practices
{% hint style="success" %}
1. **Set up groups early** — Don't leave the default Full Access group unchanged. Configure proper groups before inviting your team.
2. **Use least privilege** — Start with the minimum permissions needed and add more as required.
3. **Mirror your org structure** — Use IdP group sync so permissions stay up to date automatically.
4. **Review permissions quarterly** — As roles change, make sure group memberships still reflect current responsibilities.
5. **Keep at least two Admins** — So you're never locked out if one Admin leaves the organization.
6. **Use templates as starting points** — They cover the most common use cases and save setup time.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://herd-security.gitbook.io/herd-security-docs/how-to-documentation/managing-roles-groups-and-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.