Ctrlk
PricingInstall StepSecurity AppLogin

Roles

A role is a named set of permissions across StepSecurity features. Each member is assigned exactly one role, and that role determines what they can see and do in the platform.

StepSecurity uses a role-based access control (RBAC) model with two kinds of roles:

  • System roles: built-in roles that ship with StepSecurity and cover the most common use cases. System roles cannot be edited or deleted.

  • Custom roles: roles you define yourself to grant exactly the permissions a team needs, no more.

The Roles page lists every role in your account, system and custom. For each role you can see:

  • Role: the role name and description

  • Type: System for built-in roles, Custom for roles you created

  • Coverage: how many features the role has read access to (reads), how many it has write access to (writes), and the feature categories it touches (shown as badges)

  • Last updated (GMT): Built-in for system roles, or the timestamp and author for custom roles

You can search the list by role name or description.

Permission model

Each StepSecurity feature exposes one or more permissions. Within a role, every feature can be set to one of three access levels:

  • No access: the role cannot see or modify the feature

  • Read-only: the role can view the feature's data but cannot modify it

  • Read & write: the role can both view and modify the feature

The reads and writes counts shown for each role on the Roles list summarize these choices across all available features.

Built-in roles

StepSecurity ships with two system roles:

Role
Description

admin

Full read & write across every feature. Use this for users who need to administer StepSecurity, including managing members, roles, integrations, and security policies.

auditor

Read-only across every feature. Use this for users who need full visibility into security data and configuration without the ability to change anything. Common for compliance, audit, and reporting use cases.

System roles cannot be edited or deleted. If you need a different combination of permissions, create a custom role.

Creating a custom role

Custom roles let you grant the exact permissions a team needs. For example, a detection-viewer role might give a triage team read-only access to Harden-Runner detections without exposing the Admin Console.

To create a custom role:

  • Open Admin console → Access Control → Roles.

  • Click "+ New role" and enter a Role name and Description

  • Under Permissions, expand each feature category and select the appropriate access level for each permission: No access, Read-only, or Read & write. Once you have configured all permissions, click Create role.

Assigning roles to members

Roles are assigned to members from the Members page:

  • Open Admin console → Access Control → Members.

  • Find the member in the list, open the ⋮ menu in their row, and select Edit. In the Edit Member flow, proceed to the final step (3/3: Select Role), choose the desired role from the dropdown, and click Update.

A member can have only one role assigned at a time. To change a member's role, repeat the steps above and select a different role. The currently assigned role, and the permissions it grants, are visible on the member detail panel under the Permissions tab.

The Permissions tab shows the assigned role along with:

  • The role's scope (Customer or organization-specific)

  • What the role applies to (all organizations or a named organization)

  • The full list of granted permissions, grouped by feature category, with a Read-only or Read & write badge on each individual permission

Role scope: customer vs organization

Roles are assigned at one of two scopes:

  • Customer scope: the role applies across every organization in your StepSecurity account. Use customer-scoped roles for users who need consistent access company-wide, such as security administrators or compliance auditors.

  • Organization scope: the role applies only within a specific organization. Use organization-scoped roles when a user should have access to one team's resources but not another's.

The scope is set when the role is assigned to a member, not when the role itself is created. The same role definition can be assigned at customer scope to one member and at organization scope to another.

Editing or deleting custom roles

Custom roles can be edited or deleted from the Roles list using the menu on the role's row:

  • Edit: change the role's name, description, or permissions. Existing assignments continue to apply, and any change to permissions takes effect immediately for every member with the role assigned.

  • Delete: remove the role permanently. A role cannot be deleted while any member has it assigned. Unassign the role from every member first, then delete it.

Renaming a role is safe. Internal references use the role's UUID (assigned at creation time), so existing assignments update automatically when the name changes.

System roles (admin, auditor) cannot be edited or deleted.

PreviousMembersNextSecurity & Auth

Last updated

Was this helpful?