User management

To add other users to Riskrunner, you need to be an admin. If you are an admin, you’ll see a link for “Settings” in the bottom left of the screen.

The settings page

Here, you can click “Add user” to create a new user.

Add user

Adding users

Users are added by email address and role only. You do not set their name or password when inviting them.

What happens next depends on how that user will sign in:

  • Password-based user: Riskrunner sends an account setup email. The user follows the link, enters their first name, last name, and password, and can then log in.

  • SSO user: Riskrunner sends a notification email telling them they have been added to the workspace. They then sign in with their identity provider instead of setting a password in Riskrunner.

Riskrunner decides whether a newly added user is an SSO user based on the tenant’s current SSO configuration:

  • SSO must be enabled for the tenant, and

  • the user’s email domain must be included in the SSO domain allowlist.

If both are true, the user is treated as an SSO user. Otherwise, they receive the account setup email.

If the email address already belongs to an existing Riskrunner user, Riskrunner adds that user to the workspace and sends a notification email instead of creating a second account.

Roles

The role determines what a user can do. The available roles are:

  • Admin: Has full access to everything within the account.

  • Manager: Can do everything except add/edit users or modify permissions. Cannot edit or delete an assessment.

  • Editor: Does not have access to users or settings, either within an assessment or globally. Can do everything except add, edit, or delete assessments.

  • Contributor: Can view all data and see only the reviews assigned to them (as the owner of a review). Can add or edit entities within those assigned reviews.

  • Viewer: Can only view data. Cannot add, edit, or delete anything. Can view reviews only if they are specifically assigned for viewing purposes.

There is also a Settings tab within each assessment where you can assign different roles to users per assessment. For example, a user can be an Editor for one assessment and a Viewer for another. You can also manage access through groups.

This leads to the final role:

  • No Access: By default, users with this role cannot see or do anything. Permissions must be explicitly granted for each specific assessment. Alternatively, you can use this role to hide an assessment from a user who otherwise has access to everything.

Lastly, when creating a new assessment, you can assign an owner. The assigned owner will automatically have Admin-level access to that specific assessment.