Support
Team Administrator

The Team Administrator Role

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

The Team Administrator Role is a Role-Based Access Control (RBAC) feature. It is intended for customers who need to prevent users from one agency or department from accessing vulnerability data for another unit within the same account.  

As a System Administrator, you can grant the Team Administrator role to any of your users. This gives your user the ability to decide which roles and website groups are assigned to any team of which your user is a member. Team Administrators can also apply roles and website groups directly to individual members of the teams under the Team Administrator's responsibility.

IMPORTANT: Team Administrators are limited to only assigning roles and website groups to teams and members of their team(s) if the Team Administrator already has those roles assigned to them.

What can a Team Administrator do?

A Team Administrator can:

  • Assign roles and website groups to a Team. When the Team Administrator assigns roles and website groups to a Team, those permissions cascade down to all members of the Team.
  • Assign roles and website groups to a specific Member of a Team. This can be utilized to provide additional permissions to a specific Member.

What can't a Team Administrator do?

A Team Administrator cannot:

  • Rename a Team
  • Add members to a Team
  • Remove members from a Team
  • Modify direct roles for another Team Administrator

The table below shows an example of how you can achieve any simple or complex level of control using the Team Administrator role:

User Scope

Roles

Member Of Teams

Website Group

John Smith

Team Administrator

DevOps

WebDevs

Group1

Group2

Group3

Group4

Jane Doe

Manage Issues

Start Scans

WebDevs

Group1

Group3

Jane Doe

Start Scans

DevOps

Group2

Group4

Joe Bloggs

Manage Issues

Start Scans

View Reports

DevOps

WebDevs

Group2

Group3

Team Scope

Role

Members

Website Group

DevOps

Manage Issues

Account Owner

Account Administrator

View Reports

Start Scans

Manage Websites

Group1

Group2

Group3

Group4

WebDevs

Manage Issues

View Reports

Start Scans

Manage Websites

Group1

Group2

Group3

How to assign the Team Administrator role

  1. Log in to Invicti Enterprise as a System Administrator.
  2. From the side menu, select Team > Manage Members.
  3. Identify the Member you wish to make changes to, and click the Edit button.

  1. Scroll down to the Direct Roles panel and click + Assign Role.

  1. In the Role Assignments dialog, select the Team Administrator role and any other roles that you want the Team Administrator to have.

TIP: Keep in mind that if a Team Administrator does not have a particular role assigned to them, they cannot assign that role to any members of their team(s).

  1. Select the Website Groups which your user will be the Team Administrator for, then click Assign Role.

IMPORTANT: If you do not have the Team Administrator role for a particular Website Group, you will not be able to:

  • Assign permissions to your team
  • Assign permissions to any of your team's members
  • Manage access to the Website Group for your team
  • Manage access to the Website Group for your team's members

  1. Scroll down to the Teams panel and click + Assign Team.

  1. In the Teams dialog, select the Teams that your Team Administrator will manage, then click Assign to Team.

  1. Click Save below the panels for Roles and Teams.

The Team Administrator role is now assigned to the member you selected.

Restricted Team Administrator Roles

As a System Administrator, you may want to restrict the scope of role assignments that a Team Administrator can influence. This can be achieved by creating custom team administrator roles and using the Edit My Team's Roles permission. The Edit My Team's Roles permission does not have a specific function by itself, but can be combined with other roles to allow a member to have limited Team Administrator privileges, without permitting the full range of control that the built-in Team Administrator role allows.

Below, we have outlined how to set up two different custom team administrator roles:

  • Team-Centric Team Administrator: In this scenario you restrict a Team Administrator to only manage role assignments at the team level. They cannot manage role assignments individually for each member.
  • Member-Centric Team Administrator: In this scenario you restrict a Team Administrator to manage role assignments only for individual members of the team. They cannot apply role assignments to the team as a whole.

Scenario 1 - Team-Centric Team Administrator

How Team-Centric role management works

If you are a Team Administrator with this custom role:

  • You can manage role assignments for your team at the team level
  • Your team members will receive access based on any roles assigned to the member
  • You can assign any role that you possess, excluding:
  • Any custom role that contains the Edit my Team's Roles permission
  • The Team Administrator role
  • You cannot edit or delete Team data
  • You cannot view member data

How to create a Team-Centric custom role

  1. Log in to Invicti Enterprise as a System Administrator.
  2. From the side menu, select Team > Manage Roles.
  3. On the Roles page, click + New Role.

  1. On the New Role page, set the Name for your new custom role. In the example below we have set the name to Team Admin :: Team-Centric.

  1. From the Permissions list, enable the following permissions:
  • Edit My Team's Roles
  • Edit Team
  • View Team List
  • View Website Group List

  1. Click Save at the bottom of the page.

Scenario 2 - Member-Centric Team Administrator

How Member-Centric role management works

If you are a Team Administrator with this custom role:

  • You can manage role assignments for your members at the individual level
  • Your team members will receive access based on any roles assigned to the member
  • You can assign any role that you possess, excluding:
  • Any custom role that contains the Edit my Team's Roles permission
  • The Team Administrator role
  • You cannot edit or delete member data
  • You cannot view data for teams you are assigned to

How to create a Member-Centric custom role 

  1. Log in to Invicti Enterprise as a System Administrator.
  2. From the side menu, select Team > Manage Roles.
  3. On the Roles page, click + New Role.

  1. On the New Role page, set the Name for your new custom role. In the example below we have set the name to Team Admin :: Member-Centric

  1. From the Permissions list, enable the following permissions:
  • Edit My Team's Roles
  • Edit Member
  • View Member List
  • View Website Group List

  1. Click Save at the bottom of the page.

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.